[NMLUG] ssh brute force attacks

Subject: [NMLUG] ssh brute force attacks
From: nmlug-list at aesir-corporation.com (Matt Rechkemmer)
Date: Sat, 29 Jan 2011 17:36:46 -0500
In-reply-to: <1296253117.4765.19.camel@elap.rgtravel.com>
References: <1296253117.4765.19.camel@elap.rgtravel.com>

On Fri, Jan 28, 2011 at 03:18:37PM -0700, Ed Heron wrote:
> 
>   However, it makes me think about SSH.  It is a secure protocol but a
> bad password could open my system up to exploitation.  This isn't a SSH
> fault but a lack of confidence in my users.  And we don't even use SSH
> from outside the private network that often (just me for maintenance).
> 
>   We recently started using OpenVPN with certificates.  I'm working on
> adding a password so it takes both a certificate and a password to
> connect a remote machine to the private network.
> 
>   I'm thinking that OpenVPN makes external SSH obsolete.  I could turn
> it off forcing me to start a whole VPN in order to get access to the
> internal interface.
> 
>   Has everybody else already gotten to this conclusion or are there lots
> of people still allowing remote SSH access?
> 
>   I'm also thinking of setting up a honey pot on my external SSH port.
> Are there any pre-configured honeypot distributions?  Would a honeypot
> that never lets anybody in because it doesn't have any valid login
> combinations be good or should it let them in and let them waste their
> time installing root kits then when they logout reset the machine.

If you don't use SSH from outside the network, don't allow access from the
outside.  Many of my boxes need remote login.  Consequently, they're often
being probed by the many botnets out there.  At one point, it got so bad
that sshd was being overwhelmed and wouldn't accept further connections.

I've been using Fail2ban (http://bit.ly/bFSCku) for sometime now.  This
stops most attacks, but when the storm gets heavy, even Fail2ban can falter.
Not too long ago, I enhanced sshd's security further with knockd
(http://bit.ly/Z7wWM).  The amount of attacks I see on a daily basis is now
near zero.  If you use a fairly complicated knock sequence, I bet you'll see
straight zeroes.  (I use only two ports that are ascendingly apart from each
other for simplicity.  This makes it easy, but it also opens things to the
occasional rapid port scanning bot(s) - that's where Fail2ban comes in).

I've also seen a lot of success from running sshd on an alternate port
(e.g., 443).  You could probably do this if you still wanted to allow for
"maintenance" access.  Almost all the SSH probing bots I've seen only look
on port 22 for the daemon.

If you want to setup a honey pot for SSH, look at Kojoney:
http://kojoney.sourceforge.net/

OpenVPN is great.  Just make sure you maintain your CRL to account for
stolen, "lost," and other misplaced equipment that was assigned a cert.

Hope this helps,

--
Matt Rechkemmer
nmlug-list at aesir-corporation.com

"All that is necessary for evil to succeed is for good men to do nothing."
- Edmund Burke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 896 bytes
Desc: not available
Url : http://lists.b9.com/pipermail/nmlug/attachments/20110129/663e2aa8/attachment.bin

References:
- [NMLUG] ssh brute force attacks
  - From: Ed at Heron-ent.com (Ed Heron)

Prev by Date: [NMLUG] ssh brute force attacks
Index(es):
- Chronological
- Thread

Please send sugestions and comments to webmaster@nmlug.org.