[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

SUMMARY: sshd password-guessing attacks

A number of answers came in, for which many thanks.

The most common solution is to run sshd on a non-standard port.  As Martin
Maney noted, 'this offers no protection if someone is actually targeting
you and "notices" the odd port(s), but against dumb, scripted shotgun
attacks this should be highly effective'.

Another, less-common solution is to use "port-knocking", where you have to make a connection to another port (or ports) before trying sshd. The first attempt produces no visible results, but your access to port 22 is opened up as a result of this. A knock daemon, which I believe to be Franky's, is documented at http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki; Jeffrey points to another implementation at http://www.soloport.com/iptables.html.

Many recommend disabling password-based authentication entirely, forcing
the use of RSA/DSA keys instead.

Bjorn Tore Sund has an elegant solution using the "recent" modules in
iptables.  This module does appear to be in my kernel (2.4.29), so I'm in
the process of recompiling and, if this works, I will post code fragments
after testing.

Some use tcp_wrappers, others block netblocks that correspond to countries
full of script kiddies, but those doesn't meet my requirements (still
open to everyone, but less vulnerable to guessing attempts).

Mike Brodbelt recommends using the sshd configuration option "MaxStartups",
although this won't allow me to limit by connecting host, only the total
number of unauthenticated connections.  This seems to me to make it quite
easy for someone else to DoS me by SYN flooding, and individual password
guessers seem to be more serial than parallel, so it probably won't
stop them.  Lance Levsen suggests an iptables "limit"-based solution which
seems to have the same drawbacks.

Mike (and others) also recommends one-time passwords, which is an
extremely good idea that I'm too lazy to implement (and one I don't think
some of my users are quite ready for).

On a tangent, I'm still looking for an open-source version of the RSA SecurID tokens; an implementation which allows me access to all the code which verifies the token, so I can plug it in how I like. Noone heard of any such, have they?

Greg Dick has a small daemon that adjusts iptables rules in real-time,
based on grepping denies from the relevant logfile.

I'm really pleased by the number of responses. Firstly, I no longer feel like I'm the only person worrying about this (although I see I was a complete fool to think I was!). Secondly, different people are trying a lot of imaginative and elegant solutions, and heterogeneous approaches are usually good for security. Some really interesting ideas, things I'd never have thought of, like port-knocking, have emerged as a result of this query. Thanks to all of you!

Specifically, many thanks to Franky Liedeke (I'm guessing the last name. I
hope it's right), Mike Kercher, Wayne E Goodrich, Will H. Backman, David
Boutcher, Mike Brodbelt, Greg Dick, Jeffrey L. Taylor, Martin Maney,
Lance Levsen, Cary Penniman, Clif Smith, and especially to Bjorn Tore
Sund, who did a fair amount of digging around for version numbers for me.


--

  Tom Yates
  Cambridge, UK.
_______________________________________________
LinuxManagers mailing list - http://www.linuxmanagers.org
submissions: LinuxManagers@xxxxxxxxxxxxxxxxx
subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers

[Home]     [Kernel List]     [Linux SCSI]     [Video 4 Linux]     [Linux Admin]     [Yosemite News]     [Motherboards]

Powered by Linux