Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Choosing Secure Passwords / SSH Brute-Force Attacks

  1. #1
    Former Employee Newbie
    Join Date
    Oct 2005
    Posts
    31

    Default Choosing Secure Passwords / SSH Brute-Force Attacks

    It is highly important to choose secure passwords. With the number of automated brute force SSH attacks now happening it's easy for a VPS to become compromised if a weak root password is used.

    Here's what /var/log/secure would look like for a successful root brute force attack:

    Code:
    Jan  9 07:35:36 server sshd[23586]: Did not receive identification string from 62.193.234.47
    Jan  9 07:35:36 server sshd[24512]: Did not receive identification string from 62.193.234.47
    Jan 15 02:37:26 server sshd[14101]: Did not receive identification string from 62.193.234.47
    Jan 15 02:37:26 server sshd[14099]: Did not receive identification string from 62.193.234.47
    Jan 15 02:37:28 server sshd[15328]: Did not receive identification string from 62.193.234.47
    Jan 15 02:37:29 server sshd[16354]: Did not receive identification string from 62.193.234.47
    Jan 15 02:37:29 server sshd[16803]: Did not receive identification string from 62.193.234.47
    Jan 15 02:37:54 server sshd[31106]: Did not receive identification string from 62.193.234.47
    Jan 15 02:37:54 server sshd[31137]: Did not receive identification string from 62.193.234.47
    Jan 15 02:49:01 server sshd[15907]: Failed password for root from 62.193.234.47 port 53670 ssh2
    Jan 15 02:49:01 server sshd[15840]: Failed password for root from 62.193.234.47 port 52992 ssh2
    Jan 15 02:49:05 server sshd[22753]: Failed password for root from 62.193.234.47 port 53943 ssh2
    Jan 15 02:49:05 server sshd[22944]: Failed password for root from 62.193.234.47 port 53279 ssh2
    
    -- snip --
    
    Jan 15 03:43:40 server sshd[26433]: Failed password for root from 62.193.234.47 port 51410 ssh2
    Jan 15 03:43:41 server sshd[27011]: Failed password for root from 62.193.234.47 port 49405 ssh2
    Jan 15 03:43:44 server sshd[29597]: Failed password for root from 62.193.234.47 port 51649 ssh2
    Jan 15 03:43:44 server sshd[29953]: Failed password for root from 62.193.234.47 port 49650 ssh2
    Jan 15 03:43:45 server sshd[31843]: Accepted password for root from 62.193.234.47 port 51890 ssh2
    Jan 15 03:43:48 server sshd[32172]: Failed password for root from 62.193.234.47 port 49897 ssh2
    Jan 15 03:43:50 server sshd[3780]: Accepted password for root from 62.193.234.47 port 50136 ssh2
    Jan 15 03:43:56 server sshd[7585]: Failed password for root from 62.193.234.47 port 52408 ssh2
    Jan 15 03:44:00 server sshd[10144]: Failed password for root from 62.193.234.47 port 52648 ssh2
    Jan 15 03:44:00 server sshd[10561]: Failed password for root from 62.193.234.47 port 50631 ssh2
    Jan 15 03:44:04 server sshd[14144]: Failed password for root from 62.193.234.47 port 52882 ssh2
    
    --snip --
    
    Jan 15 03:59:57 server sshd[8737]: Failed password for root from 62.193.234.47 port 39952 ssh2
    Jan 15 04:00:01 server sshd[11232]: Failed password for root from 62.193.234.47 port 40502 ssh2
    Jan 15 04:00:01 server sshd[12039]: Failed password for root from 62.193.234.47 port 40192 ssh2
    Jan 15 04:00:12 server sshd[25156]: Failed password for root from 62.193.234.47 port 40784 ssh2
    Jan 15 04:00:14 server sshd[25921]: Failed password for root from 62.193.234.47 port 40434 ssh2
    You will notice that the first few entries contain "Did not receive identification string". This could be caused by scanning to determine if port 22 is open.

    Once it noticed that the port was open it started attempting root password logins. It took about an hour and 5 minutes of scanning to guess the password, which was 'winter'.

    In the log file there were a total of 2155 entries from the host that was performing the scanning.

    Spry recommends that you do not use a root password that is contained in a dictionary, spelling list, foreign language, etc. We recommend that you choose a password containing both upper and lower case characters and also digits and special characters such as !@#$%^&*()_+-=:;'"[]{}. Spry also recommends that you change your root password after initial signup, as the root password is transmitted to you via email.

  2. #2
    Junior Member Newbie
    Join Date
    Oct 2005
    Posts
    6

    Default

    I recommend a great password generator - KeePass

    It has ability ti generate, store, autotype and much more. You can generate and store a 128bit password in just seconds.

    I use it for all my passwords.

  3. #3
    Junior Member Newbie
    Join Date
    Oct 2005
    Posts
    14

    Default

    Really you should disable root login by ssh (then su once logged in)so whoever breaks in would have to guess a user password first, thus slowing them down.

  4. #4
    Junior Member Newbie
    Join Date
    Feb 2006
    Posts
    1

    Default

    Yep - also suggest running sshd on a different port. Everyone and their dog know that it's running on 22. Obviously won't stop the determined hacker who will attempt every port, but it's always useful to not make yourself the easiest target to every hack-bot out there targetting port 22.

    Check http://www.iana.org/assignments/port-numbers, then pick an un-used port eg. 1895 to run it on.

  5. #5
    Former Employee Newbie
    Join Date
    Oct 2005
    Posts
    31

    Default

    This is a great suggestion. It can really help out with the automated scans. We actually have a forum post about doing this as well at Change the SSH port which talks about how to change your port if you are using sshd through xinetd or as as standalone daemon.

    Quote Originally Posted by Mr Piccyfix
    Yep - also suggest running sshd on a different port. Everyone and their dog know that it's running on 22. Obviously won't stop the determined hacker who will attempt every port, but it's always useful to not make yourself the easiest target to every hack-bot out there targetting port 22.

    Check http://www.iana.org/assignments/port-numbers, then pick an un-used port eg. 1895 to run it on.

  6. #6
    Junior Member Newbie
    Join Date
    Mar 2006
    Posts
    9

    Default

    You can always install a script such as DaemonShield (http://daemonshield.sourceforge.net/).

    This program will evaluate your log file and locate entries such as:
    Jan 15 02:49:05 server sshd[22944]: Failed password for root from 62.193.234.47 port 53279 ssh2

    Based on the sshd and "Failed password", it can make an iptable rule to deny this IP addr for a specified period of time.

    Pretty cool little program...haven't really used it much, but should come in handy if you run into a situation where you are getting brute force attacked

  7. #7
    Junior Member Newbie
    Join Date
    Mar 2006
    Location
    Bothell
    Posts
    2

    Default

    All we do is limit all shell access to our office IP and a few remote sites (Development Director's home, my home, etc..)

    Cuts right to the chase...

  8. #8
    Junior Member Newbie
    Join Date
    Feb 2007
    Posts
    1

    Lightbulb Brute force protection

    In addition to all already listed, I would recommend pam_abl as a good stuff to protect ssh from brute force atack. Necessary to say, pam_abl is included to Fedora Linux by default.

  9. #9
    Junior Member Newbie
    Join Date
    Apr 2007
    Posts
    23

    Default

    Along with Daemonsheild there is also fail2ban. Virtually the same idea. It monitors your log files for key words/phrases and it uses iptables to block those ip's with log entries matching your key word/phrase.

    Google fail2ban. It'll be on sourceforge.

    I recently had a flurry of dictionary attacks so using fail2ban would have helped !

  10. #10
    Junior Member Newbie
    Join Date
    Dec 2006
    Location
    Seattle, WA
    Posts
    8

    Default

    SSH has a fantastic rate limiting feature built in. MaxStartups will let you slow and eventually deny connections after a number of limits you set. From the man page:

    MaxStartups
    Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.

    Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a probability of ``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60).
    Personally, I use 3:50:8.

    ---

    Additionally, you can set up a file with a list of users who are allowed to log in via SSH to the exclusion of all others.

    Add the following to /etc/pam.d/sshd:
    auth required pam_listfile.so sense=allow item=user file=/etc/ssh_allowed onerr=fail

    And then add your allowed users to /etc/ssh_allowed

    ---

    Or, just limit logins to members of a group. In /etc/ssh/sshd_config, add the following:
    AllowGroup sshusers

    Of course, other good strategies have been listed above.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •