Automatically Blocking SSH Attackes From Script Kiddies?
Posted by ajt on Thu 22 Sep 2005 at 12:30
As everyone knows there are a lot of script kiddies out there, running port scanners and SSH dictionary attack tools. Assuming you have proper SSH configuration, this isn't a problem, but it is a nuisance as it clogs up the logs.
In this article Protecting Linux against automated attackers, Ryan Twomey suggests some tools for automatically blacklisting an IP based on failed login attempts.
Which tools have people found useful, and actually worth using?
I already read the suggestion here Using iptables to rate-limit incoming connections and Keeping SSH access secure.
The idea is:
- You open access only for trusted IPs and disallow any other.
- Allow only those IPs who knocked in the right order on the right ports, for opening the connection, and close the door again, but the alive connetion will not be terminated.
You need a good configured firewall, and the clients (linux/win exists) need to knock before attempting to connect.
I will post a sample config on firewall and knockd.conf soon if needed in my weblog here.
[ Parent | Reply to this comment ]
I highly recommend the python tool fail2ban [1][2] which creates blocking iptable rules automatically when the number of loging tries reaches a given limit.
[1] http://fail2ban.sourceforge.net
[2] http://packages.debian.org/unstable/net/fail2ban
Regards,
Yomguy
http://yomix.org
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
aptitude install fail2ban
[Remember to pull this from the 'unstable' repository.]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Martin
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Anyone with a port scanner can easily discover what port sshd is running on, so you still need some additional layer of security.
Stephen Frost's 'ipt_recent' patch for iptables works great against brute force attacks.
See:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions -HOWTO.txt
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Agreed. I was going to package a port knowking daemon called doorman just for this, then I finally figured it wasn't worth it. In my case, I decided to use tha facilities provided by shorewall (an awesome firewall tool):
ACCEPT net $FW tcp 22 - - 1/min:2
Basically, ssh login attempts from an IP on the public internet are restricted to once a minute, with a surge of 2 (basically allowing two attempts in the first 60 seconds). The nice thing is that it doesn't run the risk of someone DOSing me by using up all the concurrent connections or whatever. Additionally, the script kiddies get tired of waiting and I rarely ever get more than two attempts from the same IP. Some are real persistent and stick it out for 10 minutes or so, but that only gets them 11 attempts.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
and this tool wil also help:
Fail2Ban, bans IP that makes too many password failure
(http://fail2ban.sourceforge.net/)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
and you can also find a lots of good comments...
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
fail2ban was 10 seconds to download, 1 minute to configure. Now it is happily banning the kiddies. Way to go!
[ Parent | Reply to this comment ]
MaxStartupsOf course logs will still be full of script kiddies attempts but certainly less...
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g., "10:30:60"). sshd will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).
[ Parent | Reply to this comment ]
My SSH setup now uses -
- An alternative port
- Public key authentication, with password authentication disabled
- no root logins
- DenyHosts running as a daemon
I had set up DenyHosts as a cron job every 10 minutes, but was shocked at the number of login attempts made in this space of time. Running as a daemon it picks things up much faster.
HTH
Neil
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
a description of a firewall with 'ipt_recent' blacklists can be found here:
http://olivier.sessink.nl/publications/blacklisting/index.html
[ Parent | Reply to this comment ]
But that are not the only ports they can play with.
I am looking for a more central place to catch such misbehaviour. Maybe there is a syslogD out somewhere with pluggable modules to monitor the events and draw decissions based on that?
[ Parent | Reply to this comment ]
http://www.eletrocomputerwarehouse.com/
[ Parent | Reply to this comment ]
Windows does not come with SSH so it's not vulnerable to this particular attack, however in general Windows is more vulnerable to a Unix system of any flavour. As a general rule NEVER connect a Windows machine directly to the Internet, always connect via a NATing router or something similar.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
The article, "Protecting Linux against automated attackers", has moved.
[ Parent | Reply to this comment ]