Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Any update on SSH brute force attempts?
From: Kevin <KKadow () gmail com>
Date: Fri, 15 Oct 2004 23:23:35 -0500

On Sat, 16 Oct 2004 14:57:31 +1300, James Riden <j.riden () massey ac nz> wrote:
Jay Libove <libove () felines org> writes:
What are you doing/changing about your SSH configurations to reduce the
possibility of these attacks finding any kind of hole in the OpenSSH
software (that's what I run, so that's the only version I'm particularly
concerned about) ?  Are you doing anything at all?

Use one time passwords (OTP, e.g. S/Key).
Restrict which addresses are allowed to connect (via
/etc/hosts.allow), and/or which user accounts are allowed from which
sources (using AllowUsers in sshd_config).

I l prefer to bind the listener to a specific IP address on hosts with
multiple addresses, the BOFH might choose to have a  tarpit *:22/TCP
listener on hosts with many alias IPs..

One or more of the following, depending on local requirements:

* Run on a non-standard port - this will stop brain-dead scanning programs
* Use key-based auth instead of passwords
* Restrict what IP addresses are allowed to connect (at your firewall)
* Disable root logins
* Use john or crack to audit password strength
* Use logwatch or similar to monitor failed login attempts
* Make a honeypot and see what techniques people are trying out

(Everyone's forcing version 2 of the protocol, right?)

$ sudo tail -5 /etc/ssh/sshd_config
Protocol 2
MaxAuthTries 2
PermitRootLogin no
$ exit

I'm sorely tempted to forgo SSH for telnet encapsulated in SSL (via
stunnel), with non-reusable passwords.  Anybody else remember "Stel"?


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]