What is Digg?41 Comments
- znxster, on 10/12/2007, -0/+6How about switch to Pkey Authentication only and remove Password Auth? or imploy iptables with COUNT .. both of switch don't require any extra monitoring/scripting ?
http://www.abdn.ac.uk/~fac075/?howto+ssh - pkey
http://www.linux-noob.com/forums/index.php?showtopic=1829 - count - solmssen, on 10/12/2007, -0/+1I was getting 2-3 brute force attacks a week, and I was all about e-mailing back to the origin and telling them they had probably been rooted, etc. Then I got wise and changed my incoming port. No more brute force attacks - not one since I moved it. Maybe it's security through obscurity, but it worked.
- zydeco, on 10/12/2007, -0/+1fail2ban is a Debian package that works seamlessly with a single apt-get. It's been working great for me.
- swilly, on 10/12/2007, -0/+1I just limit ssh connections to 1 every few seconds with pf's max-src-conn-rate feature (>.
- bani, on 10/12/2007, -0/+1pam_abl is a much better solution and works for any service (that uses pam), not just ssh.
the best part is that it doesn't bloat up your firewall with blocking rules.
http://www.hexten.net/pam_abl/ - pjprior, on 10/12/2007, -0/+1I just switched my ssh daemon to listen on a different port instead of 22. No more attacks :)
- crythias, on 10/12/2007, -0/+1And don't allow root, webadmin, pgsql, mysql,pop,nobody,www,games,operator,sshd, bin,daemon,smmsp,mailman,mailnull to have ssh access. Sorry, but root SSH is not necessary.
- krux, on 10/12/2007, -0/+1Good way to DOS yourself. Use rate limiting with IP Tables to limit the number of connection attempts per minute.
- NetCaptive, on 02/18/2009, -0/+1BFD is better and will monitor FTP, Mail, Apache and anything else you want to write a rule for.
http://www.rfxnetworks.com/bfd.php - syberghost, on 10/12/2007, -0/+1Not only is this a dupe story, but it's the exact same title:
http://digg.com/security/Preventing_SSH_Dictionary_Attacks_With_DenyHosts
Hover over the "diggs" counter; you'll see the same title with _2. Dupe! - el_taco, on 10/12/2007, -0/+1there's a great script called BruteForceBlocker for OpenBSD and FreeBSD not sure about others http://danger.rulez.sk/projects/bruteforceblocker/
automatically adds to block list. highly customizable. also any hosts that are added to your block list are uploaded to a remote list which by default also downloads to your machine. - Nilsneo, on 10/12/2007, -0/+0I use it and it works like a charm
- anothermortal, on 10/12/2007, -0/+0I used tcpwrappers to explicitly allow specific hosts, and then a “deny all” rule for other hosts. Works just as well and didn’t require me to install extra software on my OS X servers. Especially useful to limit SSH on servers for LAN and WAN traffic….though one could argue VPN first to the network, then SSH…but to each their own.
- phoenixdig, on 10/12/2007, -0/+0Just checked my logs and I am getting regular attacks. Might look into this thanks
- as2006, on 10/12/2007, -1/+1This is a simple Perl script i made to defend against brute force attacks.
http://securelabs.be/slog/
please give feed back :) - portwojc, on 10/12/2007, -0/+0Better to mount a proactive defense first and then a reactive one behind it.
Ban all country IP blocks that you can stand to block to SSH. Then do the auto blocking for the rest that slip by. No reason to do extra work if not needed. - webdwarf, on 10/12/2007, -0/+0I had this happen recently, it was interesting to watch the auth.log.. I manually blocked the IP when it got boring, so this, or the methods mentioned by znxster would be good for when I'm not watching the log files (always)
- BitwiseMcgee, on 10/12/2007, -0/+0does this support whitelists?
or can any old spoofed IP be blocked (IE: will this thing block my gateway if someone is clever enough to spoof its address?) - LogicalMind, on 10/12/2007, -0/+0Static "allow" rules do not work for me. The reason is because I don't know what my ip address will be when I want to connect to my machine. It may be at a friends house, work, school, etc. What I chose to do was use the "recent" module with iptables http://www.stearns.org/doc/adaptive-firewalls.current.html
- sjsoko, on 10/12/2007, -0/+0As an alternative I use swatch in combination with iptables to do this.
- randallb, on 10/12/2007, -0/+0There are packages for denyhosts and fail2ban in Debian unstable. I used dpkg -i to install the unstable version of fail2ban on my sarge machine. Couldn't be simpler. Fail2ban does require python though.
- hourigan, on 10/12/2007, -0/+0Why not just use certificates instead of passwords? It much more secure.
- inactive, on 10/12/2007, -0/+0sure apply proactive responses, but it's still isn't enough to assume attacks won't come from your own country.
COUNT in iptables isn't a silver bullet either, how do you discriminate with it?
pkey isn't any good if you need to log in from anywhere, we don't all carry a usb key with us nor want to.
this app fits a real need since ssh brute force attempts have gone through the roof in the last 2 years.
you can tune this app to do more then ssh. easily. - FiZi, on 10/12/2007, -0/+0Thanks for the guide! I just deployed it on my box.
- nukey, on 10/12/2007, -0/+0I'm not running a DNS server at home so I have sshd running on port 53. For 2 reasons, to avoid those attacks and to get to my machine from locked down environments.
I don't want to allow just 1 ip address or block a ***** of IP addresses, I always want to connect to my machine, any place, any time. - highmighty, on 10/12/2007, -0/+0Is there a Windows implementation of this script/tool?
- tj_walker_dvt, on 10/12/2007, -0/+0Thanks all. Good data. I am getting tired of constantly putting IP Addresses in the /etc/hosts.deny file. The Zebra Router does a crappy job of filtering so I have had to resort to the hosts.deny I own a small web hosting company and I really do not want to alter from standards as much as possible. I will also look at what others have commented about here as far as other scripts/apps.
-TJ - mkultra, on 10/12/2007, -0/+0http://la-samhna.de/library/brutessh.html#4
tcp_wrappers option requires no log scanning and no iptables, just writes to hosts.allow. lowest solution on system resources i've found. - martinus, on 10/12/2007, -0/+0In /etc/hosts.deny I have:
ALL: ALL
and /etc/hosts.allow contains all hosts that should be able to access my computer. That's much simpler and more secure than DenyHosts, but obviously only works when you know the other hosts in advance. - bani, on 10/12/2007, -0/+0cablemonkey: wrong. you can't have this work by spoofing the router or gateway. in order to have a successful password attempt you need an end to end connection. you can't do that via ip spoofing (mainly because TCP spoofing simply doesnt work these days)
so there is no risk of DOS attack and nothing to worry at all about. QED - cablemonkey, on 10/12/2007, -0/+0I think krux and few others touched on the real implications of someone throwing some real kungfu at boxes running this package. A couple bad passwds while spoofing the router or the gateway and you've given yourself a fine little DOS attack. May take you 5 minutes to undo or longer if you've forgotten what you did, but I'd sure not put this in a production enviroment. Maybe go for at home, but not in a farm or corp enviroment. Some simple table runs, and maybe some home brew IDS-fu and you should be protected long enough to notice something hinky going on and throw'em a well calculated shunt.
Otherwise ensure stronger passwds beside "love", "sex", "god", and "password". =P - bbqribs, on 10/12/2007, -0/+0Seems like a lot of trouble to go to when you can just change the port and use:
AllowUsers you@1.2.3.4
That will deny everyone except you at your IP.
----
True, but if you're an ISP that offers shell access to users (hey, many of them want it these days) then that is a huge pain in the ass. - Toallpointswest, on 10/12/2007, -0/+0Just got this going on my box and the attacks are already coming down, absolute Digg! Great tool!
- pilotmike, on 10/12/2007, -0/+0I came home to my Mac mini at around 1AM and wondered why the lights on the switch were flashing. netstat -a showed the SSH session. It was going to bed anyway so I shut down.
Checking the auth log showed that the maroon had been trying for hours. He never came back.
I suppose the script goes to the next potential victim if you stop responding so any of these solutions will work.
I just wish there was a way to block them further upstream so they stop using my bandwidth. - shafnitz, on 10/12/2007, -0/+0Awesome. This is why I digg... Thanks for the info!
- antdude, on 10/12/2007, -0/+0Great product. I have been using it for months. :) I get hit almost daily.
- foodbar, on 10/12/2007, -1/+0Bah, I wrote one myself. And it's running on two real servers, not on a home cable box.
- wushujim, on 10/12/2007, -1/+0How about just making your password not something stupid like "password"? These brute force attacks mainly attack just dictionary phrases or commonly used passwords. For a project we once modified OpenSSH to log the passwords and we found out that the brute force attacks were pretty weak. There is no need to really block ranges of IP's since any computer can really attack you.
- odysseus, on 10/12/2007, -1/+0Seems like a lot of trouble to go to when you can just change the port and use:
AllowUsers you@1.2.3.4
That will deny everyone except you at your IP. - pcgeek101, on 10/12/2007, -1/+0Easy ... don't use passwords with plaintext words in them. Substitute numbers and special characters to make it more complex. There's no excuse for someone to not do this these days. I've done some recent penetration-testing, and it's been rather embarassing how quickly I've been able to obtain someone's password. -_-
- inactive, on 10/12/2007, -2/+0I've been looking for this! I am so tired of manually adding addresses to my list every day...
http://www.gfx.com
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is