Re: How do you handle invalid ssh logins?
- From: Johnny Rebel <rebelATT@xxxxxxxxxxxx>
- Date: Tue, 05 Feb 2008 18:28:23 -0500
Jim G wrote:
"F. Michael Orr" <michael_orr25@xxxxxxxxx> wrote in message news:13qh2ekjndf86df@xxxxxxxxxxxxxxxxxxxxxOn Mon, 04 Feb 2008 22:54:01 -0500, Randy Yates wrote:
"Jim G" <jgrago@xxxxxxxxxxxxxxxxxxx> writes:
With all the wanna be hackers running these ssh scripts to try to find
no password accounts or default passwords, how do you handle these
people? I use a program called fail2ban (Python script) that works well
by blocking the ip for 15 minutes on 4 invalid ssh logins. I have also
tried changing the port that ssh listens on to 10022. That works well
but I found that I have issues using sftp to my other servers.
Let me know how you handle these people and if you are successful.
Hi Jim,
Regarding sftp, I've used scp -P portnumber (instead) with good success.
I make use of two sshd daemons. The standard SSH port is blocked at the
edge firewall to prevent outside connections. A non-standard port is
used to allow connections from the outside to thwart the simplest worms
and automated dictionary attacks. I also make use of the PAM config
files to silently lock a userid after 5 invalid passwords on both SSH
ports (but not on the local console), and cron a reset so the lockouts
are temporary. Because it is a silent lockout, even a dictionary attack
against the non-standard port is unlikely to succeed.
If you are dealing with a very small number of legitimate users, another
extremely useful technique is to require 'portknocking'. Google that; it
basically makes use of iptables and the 'recent' module to require a
specific sequence of ports to be touched by a client within a very small
window of time before the server will even begin to listen to any
requests. Nothing (other than iptables) need even be listening on those
ports. A small Perl or even VBasic script can then be distributed to
perform the portknocking, with random ports thrown in between to
discourage traffic mapping. Once the port-knocking is completed, the
source IP address has the right to try to authenticate against the
machine, but all of the above rules still apply. In addition, it can be
set up that the source IP has a 'grace period' (say 30 minutes) after
portknocking where it doesn't need to portknock again, so that standard
communications tools can be used without modification.
We were getting hammered by attempts before I implemented these
measures. Since then, I have yet to see any one yet get to the point of
trying a dictionary attack against our servers.
I am looking into this port knocking. Looks like it may be what I need. I have 11 servers that get hammered with these dictionary attacks.
Thanks
Jim
I was getting hammered - until I changed the listening port... I went from about 50 hits a day (easy), to nothing. Portknocking will send your logs into a tizzy depending what you are logging. May a combination of both a different port and portknocking would do great for you. I personally put sshd well above the "ideal" scan range for most.
JR.
--
Bill will have to take Linux from my cold, dead flippers.
-Tux.
.
- Follow-Ups:
- Re: How do you handle invalid ssh logins?
- From: Randy Yates
- Re: How do you handle invalid ssh logins?
- References:
- How do you handle invalid ssh logins?
- From: Jim G
- Re: How do you handle invalid ssh logins?
- From: Randy Yates
- Re: How do you handle invalid ssh logins?
- From: F. Michael Orr
- Re: How do you handle invalid ssh logins?
- From: Jim G
- How do you handle invalid ssh logins?
- Prev by Date: Re: How do you handle invalid ssh logins?
- Next by Date: 32 bit or 64 Linux version
- Previous by thread: Re: How do you handle invalid ssh logins?
- Next by thread: Re: How do you handle invalid ssh logins?
- Index(es):
Relevant Pages
|
|
