Security Incidents mailing list archives
Re: Internet SSH scans
From: Jose Lima <d3javu1978 () yahoo com>
Date: Thu, 9 Nov 2006 00:40:48 -0800 (PST)
while changing ports is a easy way to avoid ssh attacks from a management perspective its not practical in environments with 500+ users. We have manage to keep the scans to a minimum using a combination of DenyHosts and iptables By throttling NEW connections to 4/minute with iptables it takes the dictionary attack 15 minutes to do what it normally does in less then 1 minute. By that time, the attacker has already been placed in our /etc/hosts.deny file by DenyHosts for 45 days. We also have emails sent from DenyHosts to our help desk where they are monitored in case (unlikely) an end user accidentally puts in the wrong user name 20 times in a row. Since we only apply our iptables rule to NEW connections, established connections are not affected at all. I have to agree with the password policy, I suggests enforcing password aging and pam_cracklib to ensure your local users choose strong passwords. Not too strong or they'll end up in a sticky note on their monitors :), use good judgment on that one. BR, J Jamie Riden wrote:
[sorry, I managed to cc this to bugtraq rather than incidents first time around] On 03/03/06, Alexandre H <alexandre.hamelin () gmail com> wrote:Hi, I've witnessed what I think is an increase in SSH scans over the Internet in the past four or five weeks. The scan seems to originate from various countries around the globe which makes me think of it to be a worm-like spreading virus searching for vulnerable systems running the SSH service. I confirmed the attack with a friend of mine who also happens to run a SSH server at home. We both live in Montreal, QC, Canada and are using the same ISP.I think I've been seeing scans for a year or two now, but the password guessing seemed to be fairly plentiful for the whole of last year. I saw a couple of boxes compromised through 'temporary' accounts like upload/upload which had escaped the admin's notice. My suggested mitigation is to move SSH to an alternate port, possibly go to key pair authentication rather than password, restrict what IP addresses are allowed to connect to sshd as far as possible and/or use crack/john to ensure that people don't set dumb passwords. cheers, Jamie (In case anyone is interested in the gory details - one compromised box had some privilege escalation exploits uploaded, someone tried to use it for sending ebay phishing emails, and then started it scanning for other weak ssh passwords as well - http://www.infosecwriters.com/texts.php?op=display&id=402 )
-- View this message in context: http://www.nabble.com/Internet-SSH-scans-tf1215990.html#a7254373 Sent from the Incidents mailing list archive at Nabble.com. ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Re: Internet SSH scans Jose Lima (Nov 09)