Hi, I get ssh connect attempts all the time, to my servers at home and at work. I've noticed lately they come from a certain ip address, hitting every 3 or 4 seconds, trying 50 or 100 different user names and passwords. And I get these sweeps from 2 or 3 ip addresses a day. I guess this is an automated attempt to guess a user/pass and break into a system. I tried to secure ssh better by putting in an AllowUsers line in sshd_config. Then I thought tcp wrappers and just putting in my own addresses in /etc/hosts.allow would be even better, until I found out that all mail to my email server would be rejected. I have 2 questions. One, is there anything you can do to stop these attempts, other than not running ssh? And two, do those ssh attempts every 3 or 4 seconds slow down a box, or put any strain on it? John
hi,> I have 2 questions. One, is there anything you can do to stop these > attempts, other than not running ssh?- run sshd onto another port - use OTP devices and method or token based authentication or at least an rsa key to authenticate yourself> And two, do those ssh attempts every 3 or 4 seconds slow down a box, or > put any strain on it?depends on but generally it doesn't do it. bye, Ago
> > I have 2 questions. One, is there anything you can do to stop these > attempts, other than not running ssh?Welcome to script-kiddie 101. You can use key based authentication instead of password based, which will help, or you can move ssh to an alternate port. by moving ssh off port 22, you'll eliminate virtually all of these probes.> And two, do those ssh attempts every 3 or 4 seconds slow down a box, or > put any strain on it?Theoretically, it reduces it a little, but in practice, you won't/shouldn't notice the difference. The most noticeable hit is to bandwidth, but even that should be reasonably small. -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'' Benjamin Franklin 1775
John Merritt wrote:> . . . is there anything you can do to stop these > attempts, other than not running ssh?I have found a non-standard port to be satisfactory so far. APF firewall has a built-in feature, but I am not sure it works on non-standard ports. I am thinking about installing this, http://denyhosts.sourceforge.net/, in case any persistent script finds my port. I have not tried this yet, so I do not know.
> I have 2 questions. One, is there anything you can do to stop these > attempts, other than not running ssh?I use a pam_listfile entry in /etc/pam.d/sshd that reads a file (mine is called /etc/sshusers). If the user requested to log in is not in the file, the authentication attempt is rejected. So, if I had a user named "bob" and someone managed to sniff "bob"'s password during a cleatext protocol authentication session, the user would not be able to log in to the ssh server if "bob" wasn't listed in the file. You can do the same with groups. The main advantage of using this method over the AllowUsers method is that this file can be updated, and sshd does not have to be restarted to re-read the file. You also might look into the pam_access module. I've used that on occasion as well. Hope this helps. Barry
John Merritt wrote:> > I tried to secure ssh better by putting in an AllowUsers line in > sshd_config. Then I thought tcp wrappers and just putting in my own > addresses in /etc/hosts.allow would be even better, until I found out > that all mail to my email server would be rejected. >There should be no problem here. Just disallow everything in /etc/hosts.deny and then enable particular ip addresses for sshd. And also enable the appropriate addresses for other services that you want to be available to various IP addresses. You can use the word ALL to indicate no restriction. e.g.: sendmail:ALL man hosts.allow should get you the information that you need. But if you are remote to the machine, be careful you don't lock yourself out! -Steve
John Merritt wrote:> Hi, > > I get ssh connect attempts all the time, to my servers at home and at > work. I've noticed lately they come from a certain ip address, hitting > every 3 or 4 seconds, trying 50 or 100 different user names and > passwords. And I get these sweeps from 2 or 3 ip addresses a day. I > guess this is an automated attempt to guess a user/pass and break into > a system. > > I tried to secure ssh better by putting in an AllowUsers line in > sshd_config. Then I thought tcp wrappers and just putting in my own > addresses in /etc/hosts.allow would be even better, until I found out > that all mail to my email server would be rejected. > > I have 2 questions. One, is there anything you can do to stop these > attempts, other than not running ssh? > > And two, do those ssh attempts every 3 or 4 seconds slow down a box, > or put any strain on it? > > John > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > !DSPAM:43f10f2d290541804284693! >Using hosts.* files. cat hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd : 192.0.0. : allow sshd : 192.14.89.55 : allow sshd : localhost : allow # end hosts.allow The first allows the entire class C on 192.0.0. access and the single IP address 192.14.89.55. Set the allowed IP addresses to your location(s). Setting these to class Cs, is not such a bad idea. If someone local is trying to get in, it's pretty easy to find out who they are... and if someone suddenly throws you off onto another IP... hopefully it'll still be on the same class. and then we deny all.... cat hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! sshd : ALL # end hosts.deny Then /etc/init.d/sshd restart Be sure you have it right if you are remote or you'll not be able to shell in. ;) And, as stated in other emails.... it's a good idea to have another method for getting in, so that when you're 500 miles from home, on a strange network, you don't suddenly find yourself locked out during a major catastrophe! Best, John Hinton
John Merritt wrote:> Hi, > > I get ssh connect attempts all the time, to my servers at home and at > work. I've noticed lately they come from a certain ip address, hitting > every 3 or 4 seconds, trying 50 or 100 different user names and > passwords. And I get these sweeps from 2 or 3 ip addresses a day. I > guess this is an automated attempt to guess a user/pass and break into > a system. >Everything on the internet gets them all day long. I have several dedicated servers so the attacks become weary, and the only time I have ever had a security problem was a user with a guessable password. What I do is: Install APF on every box as the first thing I do. http://www.rfxnetworks.com/apf.php #apf -a myownips disallow ssh entirely with apf by leaving port 22 out of the the ingress setting. #chkconfig apf off in the event the server hangs, I want the data center to be able to ssh to the box, so a reboot will disble apf and they will be able to access. install bfd - http://www.rfxnetworks.com/bfd.php this will also stop the attacks on any port by banning the specifics IPs that have too many failed logins. APF is wonderful, very well thought out and powerful. It's not as flexible as a firewall such as shorewall, but I feel that is overkill to protect a single online server. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla at yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Quoting John Merritt (jmerritt at johnlyuba.mine.nu):> > I get ssh connect attempts all the time, to my servers at home and at > work. I've noticed lately they come from a certain ip address, hitting > every 3 or 4 seconds, trying 50 or 100 different user names and > passwords. And I get these sweeps from 2 or 3 ip addresses a day. I > guess this is an automated attempt to guess a user/pass and break into a > system. > > I tried to secure ssh better by putting in an AllowUsers line in > sshd_config. Then I thought tcp wrappers and just putting in my own > addresses in /etc/hosts.allow would be even better, until I found out > that all mail to my email server would be rejected. > > I have 2 questions. One, is there anything you can do to stop these > attempts, other than not running ssh?As others have said, one option is to use port knocking. You could also stop using passwords altogether. Alternatively you could firewall sources of repeated login attempts using iptables. I've been looking at http://www.csc.liv.ac.uk/~greg/sshdfilter/ http://fail2ban.sourceforge.net/ only this afternoon. Sounds like you've got your hosts.allow config wrong, but others appear to have dealt with that already. My preference would be to firewall rather than block in hosts.[allow|deny], purely because you get rid of the unwanted traffic as early as possible.> And two, do those ssh attempts every 3 or 4 seconds slow down a box, or > put any strain on it?I don't think it's any significant extra load. However, if you start to get large numbers of them then I guess it's possible that sshd may stop responding at times. James
On 13/02/06, John Merritt <jmerritt at johnlyuba.mine.nu> wrote:> Hi, > > I get ssh connect attempts all the time, to my servers at home and at > work. I've noticed lately they come from a certain ip address, hitting > every 3 or 4 seconds, trying 50 or 100 different user names and > passwords. And I get these sweeps from 2 or 3 ip addresses a day. I > guess this is an automated attempt to guess a user/pass and break into a > system.This question's popped up a fair few times in the last couple of weeks/months. I wonder, if haven't already got one, might it be worth setting up a CentOS mailing list FAQ? I think the general concensus in the past has been... * Only allow SSH v2 RSA/DSA key-based authentication and use agent forwarding (i.e. *not* passwordless private keys) * Run SSHd on a non-standard port * Disallow root logins via SSH * Only allow users that belong to a specific group to connect via SSH, typically people use the "wheel" group but a custom group is easily substituted * Use a denyhosts script or similar * If you know absolutely where all SSH connections originate from drop all other traffic on that port bar the know IP address/range As long as you at least understand the basics of how and why you're doing these things, the more layers of security you add the better. Will.
Peopled hav had lots of suggestions... pretty much everything has been suggested except for my approach: 1) don't use 1234 or test for password 2) ignore the suckers /Peter On Monday 13 February 2006 23:58, John Merritt wrote:> Hi, > > I get ssh connect attempts all the time, to my servers at home and at > work. I've noticed lately they come from a certain ip address, hitting > every 3 or 4 seconds, trying 50 or 100 different user names and > passwords. And I get these sweeps from 2 or 3 ip addresses a day. I > guess this is an automated attempt to guess a user/pass and break into a > system. > > I tried to secure ssh better by putting in an AllowUsers line in > sshd_config. Then I thought tcp wrappers and just putting in my own > addresses in /etc/hosts.allow would be even better, until I found out > that all mail to my email server would be rejected. > > I have 2 questions. One, is there anything you can do to stop these > attempts, other than not running ssh? > > And two, do those ssh attempts every 3 or 4 seconds slow down a box, or > put any strain on it? > > John-- ------------------------------------------------------------ Peter Kjellstr?m | National Supercomputer Centre | Sweden | http://www.nsc.liu.se -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20060214/a54cc143/attachment-0002.sig>
I successfully use denyhosts that will automatically blacklist ips after several failed attempts. I now have more than 70 IPs blacklisted. John Merritt wrote:> Hi, > > I get ssh connect attempts all the time, to my servers at home and at > work. I've noticed lately they come from a certain ip address, hitting > every 3 or 4 seconds, trying 50 or 100 different user names and > passwords. And I get these sweeps from 2 or 3 ip addresses a day. I > guess this is an automated attempt to guess a user/pass and break into > a system. > > I tried to secure ssh better by putting in an AllowUsers line in > sshd_config. Then I thought tcp wrappers and just putting in my own > addresses in /etc/hosts.allow would be even better, until I found out > that all mail to my email server would be rejected. > > I have 2 questions. One, is there anything you can do to stop these > attempts, other than not running ssh? > > And two, do those ssh attempts every 3 or 4 seconds slow down a box, > or put any strain on it? > > John > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >