Repeated attacks via SSH

David Gilbert dgilbert at dclg.ca
Mon Oct 3 07:38:21 PDT 2005 

>>>>> "Brett" == Brett Glass <brett at lariat.org> writes:

Brett> Everyone: We're starting to see a rash of password guessing
Brett> attacks via SSH on all of our exposed BSD servers which are
Brett> running an SSH daemon.  They're coming from multiple addresses,
Brett> which makes us suspect that they're being carried out by a
Brett> network of "bots" rather than a single attacker.

[...]

Brett> SSH is enabled by default in most BSD-ish operating systems,
Brett> and this makes us a bigger target for these bots than users of
Brett> OSes that don't come with SSH (not that they're not more
Brett> vulnerable in other ways!). Therefore, it's strongly
Brett> recommended that, where practical, everyone limit SSH logins to
Brett> the minimum possible number of users via the "AllowUsers"
Brett> directive. We also have a log monitor that watches the logs
Brett> (/var/log/auth.log in particular) and blackholes hosts that
Brett> seem to be trying to break in via SSH.

I have another angle.  I run the following script on many of my
machines:

#!/bin/bash
# Copyright (c) 2005 DaveG.ca
# You may use this code under the GPL, version 2 or newer.
# firewall excessive ssh attempts

PATH=/bin:/sbin:/usr/bin:/usr/sbin

cat /var/log/auth.log | grep "Illegal user" | rev  | cut -d\  -f 1 | rev | sort | uniq -c | \
( while read num ip; do
    if [ $num -gt 9 ]; then
      if ! ipfw show | grep -q $ip ; then
	echo adding $ip for $num violations
        logger -p auth.warn blocking $ip for $num violations
	ipfw table 1 add $ip
      fi
    fi
  done
) 

Now... the line 'ipfw ...' can be replace with other firewall
statements or it can be a route add -blackhole.

The trick here is that it is unusual for legal users to make many
tries at an ssh with a completely wrong username.

Dave.

-- 
============================================================================
|David Gilbert, Independent Contractor.       | Two things can only be     |
|Mail:       dave at daveg.ca                    |  equal if and only if they |
|http://daveg.ca                              |   are precisely opposite.  |
=========================================================GLO================

More information about the freebsd-security mailing list