[aklug] Re: Increase in ssh attempts

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Sun Jul 25 2010 - 17:49:34 AKDT

On Sun, 25 Jul 2010, adam bultman wrote:

> Yes. I've also found that some script kiddies are now scanning ahead of
> time to find servers with SSH running on off ports. I have SSH servers
> running on off ports, and those have been located and have been used to
> attempt to break into the system.
>
> I'm about to set up fail2ban on my public systems and decrease the
> filtering of my logwatch/email parser at work to include more info on
> the systems trying to get in, and the users they are trying to exploit.

I have hosts on several networks but the only one I've seen a notable spike
on is on the GCI network. I have my own auto-firewalling script whose
threshold is set to 20 failed logins per IP but these scans are distributed
enough to keep under those thresholds. I've had many hundreds of attempts
per day from 100+ hosts (mostly from China).

I do run ssh on the normal ports myself, and have seen little value in
security by obscurity. In a nutshell, everyone running a publically exposed
host should be doing the following things:

   1) use TCP wrappers and/or firewall (if you can)
   2) disable root logins over ssh
   3) restrict ssh logins to accounts with a specific group membership
   4) run an autofirewalling script
   5) run a nightly report of failed login attempts

If you have to run a globally accessible SSH server you should do so on a
single box, a "bastion" host, and disable external access to ssh on all
other hosts.

My nightly report includes four sections: a summary (n login attempts by n
hosts), a list of # attempts by login, a list of # attempts by IP, and the
raw output of lastb. I also do remote syslogging of all auth.* events as
well.

For the extra paranoid you might want to have those authorized logins have
home directories on a mounted filesystem w/noexec,nosuid,nodev privileges.
And your /tmp should be similarly mounted, along with any other publically
writed directory/filesystem.

         --Arthur Corliss
           Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Jul 25 17:49:42 2010

This archive was generated by hypermail 2.1.8 : Sun Jul 25 2010 - 17:49:42 AKDT