openssh unix dev - Nov 2006 - sshd behaviour when people are trying to break in

Hi,

When people try and break into my system from the internet I get lots
of messages like:

Nov 14 19:08:13 rook sshd[6333]: Failed password for invalid user guest from
210.83.48.238 port 40811 ssh2
Nov 14 19:08:19 rook sshd[6338]: Invalid user admin from 210.83.48.238
Nov 14 19:08:19 rook sshd[6338]: Failed password for invalid user admin from
210.83.48.238 port 40920 ssh2
Nov 14 19:08:24 rook sshd[6342]: Invalid user admin from 210.83.48.238
Nov 14 19:08:24 rook sshd[6342]: Failed password for invalid user admin from
210.83.48.238 port 40994 ssh2
Nov 14 19:08:29 rook sshd[6346]: Invalid user user from 210.83.48.238
Nov 14 19:08:29 rook sshd[6346]: Failed password for invalid user user from
210.83.48.238 port 41070 ssh2
Nov 14 19:08:35 rook sshd[6351]: Failed password for root from 210.83.48.238
port 41137 ssh2
Nov 14 19:08:40 rook sshd[6355]: Failed password for root from 210.83.48.238
port 41204 ssh2
Nov 14 19:08:45 rook sshd[6359]: Failed password for root from 210.83.48.238
port 41279 ssh2

It would be good if sshd could detect such break in attempts and
simply not accept the connections. I can imagine having a simple
mechanism that counts the number of login attempts from a given IP
address and if so many are attempted in a short time period, that IP
address is blacklisted for a while.

Is something like that possible?

Thanks,

Mark

hi Mark--

On November 14, markb at ordern.com said:
> It would be good if sshd could detect such break in attempts and
> simply not accept the connections. I can imagine having a simple
> mechanism that counts the number of login attempts from a given IP
> address and if so many are attempted in a short time period, that IP
> address is blacklisted for a while.
I don't think this functionality belongs in openssh.

This sort of policy has been implemented in a more generalized way
than ssh could do on it's own.  There are programs which read
logfiles, and block IP addresses based on the contents.  One such
implementation is fail2ban:

  http://fail2ban.sourceforge.net/

which comes with a standard set of rules for dealing with openssh
logs, and blocking IPs using the linux netfilter rulesets.  I'm sure
it's adaptable to pf or whatever other filtering setup you are already
using.

hth,

	--dkg

This has been discussed before.  It can be implemented by monitoring  
the logs, and firewall rules.  That said it is a denial of service  
once that monitoring and locking start happening.

	Here are some threads:

		"How to use SSH with Failed Login attempts and locking  
accounts" (though it starts with locking accounts on the MP-RAS  
system it generally applies)<http://marc.theaimsgroup.com/?l=openssh- 
unix-dev&m=115265219510067&w=2>, I think this is the same thread but
good explaination <http://marc.theaimsgroup.com/?l=openssh-unix- 
dev&m=115268028704882&w=2>
		"Automatic blacklist of IP-addresses."<http:// 
marc.theaimsgroup.com/?l=openssh-unix-dev&m=113485372712488&w=2>
		 "Blacklisting repeated login tries"
<http://marc.theaimsgroup.com/?
l=openssh-unix-dev&m=111633631229109&w=2>

	I stuck the quoted subject line and a link to each thread.  Using  
the subject should make finding the thread easier if you the above  
links stop working someday.

	The problem with automatic locking is that you will probably block a  
legitimate user out.  If you are just going to block an ip for a  
limited time it will annoy the legitimate user who fell within that  
ip (ip of homes users are often nat'd or use dhcp).  If you  
permanently block the ip it is of course worse since the user can no  
longer connect.  If you lock the given account after some number of  
failed logins you will probably lose access to the machine and have  
to login through the physical console connected to the box.  (a big  
hassle if you box is colocated somewhere)

	I run several servers on the net with ssh open to the world, and see  
failed login attempts a lot.  What I have generally done is ignore  
it.  If I see the same ip a whole lot (like several hours at a time,  
over a few days, and enough that my mail is filling up, or the  
machine is noticeably slowing down) I have been known to block the  
offending ip completely after making sure that none of my users are  
likely to come from that ip.  In general I limit ssh logins only to  
users who need them and do require secure passwords.  I encourage all  
users to use secure passwords for all their accounts.  Finally on one  
box I got tired of all the junk in my logs so I did move ssh to  
listen on another port, be aware this does not make the machine any  
more secure (security through obscurity does not work. Go find and  
read " The Inevitability of Failure: The Flawed Assumption of  
Security in Modern Computing Environments"  and related articles).

	Hopefully this will help end discussions on locking accounts due to  
a failed login, failed password, or too many failed attempts from a  
given ip.

Darren

On Nov 14, 2006, at 12:19 , Mark Burton wrote:
> Hi,
>
> When people try and break into my system from the internet I get lots
> of messages like:
>
> Nov 14 19:08:13 rook sshd[6333]: Failed password for invalid user  
> guest from 210.83.48.238 port 40811 ssh2
> Nov 14 19:08:19 rook sshd[6338]: Invalid user admin from 210.83.48.238
> Nov 14 19:08:19 rook sshd[6338]: Failed password for invalid user  
> admin from 210.83.48.238 port 40920 ssh2
> Nov 14 19:08:24 rook sshd[6342]: Invalid user admin from 210.83.48.238
> Nov 14 19:08:24 rook sshd[6342]: Failed password for invalid user  
> admin from 210.83.48.238 port 40994 ssh2
> Nov 14 19:08:29 rook sshd[6346]: Invalid user user from 210.83.48.238
> Nov 14 19:08:29 rook sshd[6346]: Failed password for invalid user  
> user from 210.83.48.238 port 41070 ssh2
> Nov 14 19:08:35 rook sshd[6351]: Failed password for root from  
> 210.83.48.238 port 41137 ssh2
> Nov 14 19:08:40 rook sshd[6355]: Failed password for root from  
> 210.83.48.238 port 41204 ssh2
> Nov 14 19:08:45 rook sshd[6359]: Failed password for root from  
> 210.83.48.238 port 41279 ssh2
>
> It would be good if sshd could detect such break in attempts and
> simply not accept the connections. I can imagine having a simple
> mechanism that counts the number of login attempts from a given IP
> address and if so many are attempted in a short time period, that IP
> address is blacklisted for a while.
>
> Is something like that possible?
>
> Thanks,
>
> Mark