Repeated attacks via SSH
David Gilbert
dgilbert at dclg.ca
Mon Oct 3 07:38:21 PDT 2005
>>>>> "Brett" == Brett Glass <brett at lariat.org> writes:
Brett> Everyone: We're starting to see a rash of password guessing
Brett> attacks via SSH on all of our exposed BSD servers which are
Brett> running an SSH daemon. They're coming from multiple addresses,
Brett> which makes us suspect that they're being carried out by a
Brett> network of "bots" rather than a single attacker.
[...]
Brett> SSH is enabled by default in most BSD-ish operating systems,
Brett> and this makes us a bigger target for these bots than users of
Brett> OSes that don't come with SSH (not that they're not more
Brett> vulnerable in other ways!). Therefore, it's strongly
Brett> recommended that, where practical, everyone limit SSH logins to
Brett> the minimum possible number of users via the "AllowUsers"
Brett> directive. We also have a log monitor that watches the logs
Brett> (/var/log/auth.log in particular) and blackholes hosts that
Brett> seem to be trying to break in via SSH.
I have another angle. I run the following script on many of my
machines:
#!/bin/bash
# Copyright (c) 2005 DaveG.ca
# You may use this code under the GPL, version 2 or newer.
# firewall excessive ssh attempts
PATH=/bin:/sbin:/usr/bin:/usr/sbin
cat /var/log/auth.log | grep "Illegal user" | rev | cut -d\ -f 1 | rev | sort | uniq -c | \
( while read num ip; do
if [ $num -gt 9 ]; then
if ! ipfw show | grep -q $ip ; then
echo adding $ip for $num violations
logger -p auth.warn blocking $ip for $num violations
ipfw table 1 add $ip
fi
fi
done
)
Now... the line 'ipfw ...' can be replace with other firewall
statements or it can be a route add -blackhole.
The trick here is that it is unusual for legal users to make many
tries at an ssh with a completely wrong username.
Dave.
--
============================================================================
|David Gilbert, Independent Contractor. | Two things can only be |
|Mail: dave at daveg.ca | equal if and only if they |
|http://daveg.ca | are precisely opposite. |
=========================================================GLO================
More information about the freebsd-security
mailing list