[nycbug-talk] Analyzing malicious SSH login attempts

Jeff Quast af.dingo at gmail.com
Tue Sep 12 13:46:20 EDT 2006


On 9/12/06, csnyder <chsnyder at gmail.com> wrote:
> >
> > I am also curious.. where do we draw the line and just *trust* our OS?
> >

As if password brute forcing is anything new....

Well OpenSSH is written by an OS project that can be trusted. This is
not an issue of trusting an OS anyway, it is an issue of trusting that
the legitmate accounts on your machine use strong passwords. This is
usualy enforced with passwd, and can be monitored with john the ripper
if you have a large and dynamic enviroment.

If it takes 2 hours for a modern machine to crack a password, it would
take 3 years for a remote attacker to brute both login and password
over the network. It can be scripted and cron'd to disable and mail
somebody when an account has been disabled due to weak passwords.

> I really wish the OpenSSH developers would address this issue in the
> server itself, by giving admins a lockout setting. I see absolutely no
> reason why hundreds of failed login attempts from the same IP address
> should be permitted as if it was standard procedure.

OpenSSH developers are not responsible for making sure you use strong
passwords and a secure OS or a good firewall. If OpenSSH kept adding
features and knobs the community wants to see on it, it wouldn't be
secure and simple anymore, much less portable.

There is a trivial solution for blocking hosts that connect too many
times, http://www.openbsd.org/faq/pf/filter.html#stateopts

Hasn't made it to freebsd yet, of course,
http://lists.freebsd.org/pipermail/freebsd-pf/2005-August/001409.html

As you see in most of the examples from a google search of
'max-src-conn-rate overload' It works for more than just ssh brute
forcing. Works great to block wget, nmap, web bots, spammers, etc.

> Anyway, I use a php script that scans the log for multiple failed
> logins from a single IP, then sets a temporary firewall rule blocking
> access from that address.

I think parsing logs and injecting rules is just plain ridiculous.
Especialy using 3rd party languages not native to your OS. Its just
more custom stuff to re-implement on the next os rebuild.

Searching archives you will find simple shell scripts that can dump
the pf table of blocked IP's and save to disk to be reloaded later.
I've never bothered, as you only need to block them for a few hours
until they've given up for eternity.

This whole discussion has been beaten to death for years. pf is the
solution. If you dont have pf, then don't use passwords. Use ssh keys.
A little knowledge of ssh-agent can make using ssh keys more
convenient and secure than using passwords.

I just felt the need to reply to the line that this is OpenSSH's
responsability to deal with. It made me mad. They do a great job
dealing with this issue in the place it is meant to be dealt with.

Password authentication should only be used once to add your public
key to authorized_keys file anyway. I dont even know most of the
passwords for my SSH accounts :0, they are too hard to remember, much
less guess.



More information about the talk mailing list