Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
Regards, Michal
2010/3/17 Michał Piotrowski mkkp4x4@gmail.com:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
Regards, Michal -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
1. Change SSH port 2. Disable access to root via SSH 3. Install HIDS eg: fail2ban is included in fedora OR BFD (http://www.rfxn.com/projects/brute-force-detection/)
2010/3/17 Athmane Madjoudj athmanem@gmail.com:
2010/3/17 Michał Piotrowski mkkp4x4@gmail.com:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
Regards, Michal -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
- Change SSH port
I don't have a remote access to my cisco router, so I can't change port forwarding - sigh.
- Disable access to root via SSH
Actually I need this to deploy my project. I'll change this someday, but it will take some time to tweak configuration.
- Install HIDS eg: fail2ban is included in fedora OR BFD
I'm not sure if I want to blindly ban networks.
-- Athmane Madjoudj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Regards, Michal
On Wed, 17 Mar 2010 22:55:48 +0100 Michał Piotrowski mkkp4x4@gmail.com wrote:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
Regards, Michal
'denyhosts' is in Fedora as well and works great. Use AllowUser lines in your global ssh configuration and only allow known good users / source addresses (if that's possible in your setup).
Regards,
On 03/17/2010 03:55 PM, Michał Piotrowski wrote:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
This really is off-topic here.
On Wed, Mar 17, 2010 at 11:06 PM, Orion Poplawski orion@cora.nwra.com wrote:
On 03/17/2010 03:55 PM, Michał Piotrowski wrote:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
This really is off-topic here.
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
I agree
Michał Piotrowski wrote:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
Regards, Michal
Aside from not allowing password logins, I throttle them, they usually get tired and go away to an easier target.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT
-Eric
2010/3/17 Eric Sandeen sandeen@redhat.com:
Michał Piotrowski wrote:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
Regards, Michal
Aside from not allowing password logins, I throttle them, they usually get tired and go away to an easier target.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT
If I understand correctly - this limits ssh connections to two connections per minute. I tried it before on my devel server without success. I tried it now with your configuration also without success.
I used -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 2 -j ACCEPT and I still can connect to ssh as many times as I want.
-Eric
Regards, Michal
On 03/17/2010 11:24 PM, Michał Piotrowski wrote:
2010/3/17 Eric Sandeensandeen@redhat.com:
Michał Piotrowski wrote:
Hi,
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
Regards, Michal
Aside from not allowing password logins, I throttle them, they usually get tired and go away to an easier target.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT
If I understand correctly - this limits ssh connections to two connections per minute. I tried it before on my devel server without success. I tried it now with your configuration also without success.
I used -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 2 -j ACCEPT and I still can connect to ssh as many times as I want.
This needs to be followed by: -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
That way as long as you stay within the limiting conditions you get ACCEPTed by the first rule but if you make more ssh attempts the limit rule no longer applies and you get DROPed instead.
Regards, Dennis
On Wed, 2010-03-17 at 22:55 +0100, Michał Piotrowski wrote:
I recetly had 30 hours of ssh brute force attack on my system. I'm using strong passwords, but still can be geneated from /dev/random, so I switched to rsa authentication. What's your favourite way to deal with such attacks? Please describe pros and cons.
off-topic, but here's a few: run ssh on a high, non-standard port, implement a portknocker, only work with certificates (not passwords), set PermitRootLogin to no in your sshd config, obfuscate your username(s), etc.
Léon
-
Athmane Madjoudj -
Conrad Meyer -
Dennis Jacobfeuerborn -
Eric Sandeen -
Léon Keijser -
Michał Piotrowski -
Orion Poplawski