lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <200410291651.i9TGpFFT007957@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Counteroffensive help on bruteforce attacks on SSHD 

On Fri, 29 Oct 2004 14:34:21 BST, Andrew Poodle said:
> I'm seeing lots of ssh login attempts with user=root from two or three
> IP addresses, after I blocked access at the firewall based on host.

> Can anyone point me at some good resources where I can bone up and learn
> more about counter-measures....  I'm not looking to take this guy out
> (although would'nt be a bad thing).. But would be interesting to find
> out more.

1) set your firewall up *beforehand* to deny all SSH connects except from
hosts/networks that you need inbound SSH from.  If you're never going to SSH
in except from 3 specific machines and one dial-up net, just allow those 3
machines and the /24 or whatever that the dial-up uses.

2) In your sshd_config file, "PermitRootLogin no" and "PermitEmptyPasswords no"
will help security a lot.  If you're ambitious, you might consider forcing
the use of RSA keys and "PasswordAuthentication no".  Note that this *DOES*
require that the hosts you're ssh'ing in from *also* be secure (because if an
attacker gets the private key on that machine, they just got a login on
your box too...)

3) If you're ambitious, drop the network admin a "Please whack your user who
has a compromised box" (almost *all* of the recent plague of SSH scans have been
from ancient, unsecured, unpatched boxes). Offer void in Korea or anyplace else
that doesn't have a net admin who gives a damn, YMMV, etc.. ;)

4) That should stop the anklebiters.  Deterrence measures for more determined
attackers are a separate issue. ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041029/ba149b79/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ