LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Brute-Force SSH Server Attacks Surge (InformationWeek)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 15:35 UTC (Wed) by kssingvo (subscriber, #38999)
Parent article: Brute-Force SSH Server Attacks Surge (InformationWeek)

Use fail2ban, or any other similar tool which can be found on the net, to avoid such an abuse of services.

Kindly regards,
  Klaus Singvogel.

(Log in to post comments)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 15:51 UTC (Wed) by AJWM (subscriber, #15888) [Link] 

That's a good idea, although I wonder if perhaps determined attackers aren't already using
botnets for this kind of thing to spread the attack-source IPs around.

(Fail2ban blocks the IP of repeated failed-password attempts.  The question is whether an
attacker would run out of IPs before running out of passwords to try - yet another argument
for strong passwords.)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:20 UTC (Wed) by ssam (subscriber, #46587) [Link] 

4 billion ip address, biggest botnets are of the order of 1 million machines. the default on
denyhosts is something like 10 fails per IP address.

there are 26^5 = 11 million, 5 character lowercase passwords

there are 26^7 = 8 billion, 7 character lowercase passwords

Ubuntu does not install an ssh server by default. which consumer distros do?

Ubuntu also, by default does not have a root user, so if you want to brute force you have to
guess a username as well.

crazy idea:
what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has
succeeded, and gave a pretend shell that did nothing. would that confuse the crackers?

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:37 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has succeeded, and gave a pretend shell that did nothing. would that confuse the crackers?

What you describe sounds like a variation of a honeypot. Interesting concept, IMO, but I'm certain that whatever functionality incorporated in this "pretend" shell would necessarily be a small subset of what a real shell could contain.

Taking your idea further, how about a completely "functional" pretend shell whose programs and commands are all faked as well.... Sounds like a lot of work just to snoop on the bad guys, but a peculiarly interesting idea nevertheless...

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 18:28 UTC (Wed) by smoogen (subscriber, #97) [Link] 

Yes they have been doing this for a while.. The latest set of attacks are using it more. I
have seen attacks where machine A goes for account "foo, foo1, foo2" and then machine B does
"foo3, foo4, foo5" and then machine C goes for "foo6, goo, goo1" and machine A tries again
(well its a lot bigger than that but just logging in once and coming back an hour later is
enough to get past most public ssh servers fail2ban systems.) Add onto that a lot of users
think Q1w2e3r4 is a good password and are sure to get some account on a university or big ISP
sometime.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 15:55 UTC (Wed) by JoeF (guest, #4486) [Link] 

Or write your own little script.
I have a cron script that checks my log files and adds an an iptables drop entry for such
attempts.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:11 UTC (Wed) by mikachu (guest, #5333) [Link] 

I checked my logs yesterday, and for that single day there were 424 attempts from 250 unique
ips, so presumably blocking after an ip fails is not very effective.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:36 UTC (Wed) by pcampe (subscriber, #28223) [Link]

See http://lwn.net/Articles/222201/, and accept only certificates for SSH.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 15, 2008 1:05 UTC (Thu) by csamuel (subscriber, #2624) [Link]

Except that, according to the Metasploit project, on Debian/Ubuntu boxes with broken OpenSSL:

When creating a new OpenSSH key, there are only 32,767 possible outcomes for a given architecture, key size, and key type. The reason is that the only "random" data being used by the PRNG is the ID of the process. [...] Links to the pregenerated key sets for 1024-bit DSA and 2048-bit RSA keys (x86) are provided in the downloads section below.

...and if you've used such a system with a good DSA key then you can consider that compromised too.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 15, 2008 19:39 UTC (Thu) by pcampe (subscriber, #28223) [Link] 

>Except that, according to the Metasploit project, on Debian/Ubuntu boxes 
>with broken OpenSSL

That is an implementation problem, limited to Debian and derivated systems. Certificates are
the only way to be sure that your server is not password-guessed.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 17:23 UTC (Wed) by endecotp (guest, #36428) [Link] 

No, don't use fail2ban or denyhosts or any of the similar tools.  They are in the "line of
fire" and any bugs that they contain are security bugs.  This isn't a theoretical problem: see
http://lwn.net/Articles/216217/; denyhosts could be exploited by an attacker to add arbitrary
addresses to its blocklist, including for example the IP addresses of its legitimate users.
That's a serious bug and there could be more.  We want less code in the line-of-fire, not more,
and we want that code to be of the highest quality (as openssh is, except when it has been
hacked around by an incompetent maintainer).  Simple rule: use strong passwords, or disable
password authentication, and don't worry about all of those failure messages in your auth log.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 17:39 UTC (Wed) by rfunk (subscriber, #4054) [Link] 

While I agree with your general point, I have two points of 
partial-contention.

Most importantly, if you allow password authentication at all, you need to 
pay attention to failed logins, and take steps to prevent someone from 
eventually getting around to guessing your good password.  (I watch my 
logs and manually block IP addresses that are trying to brute-force their 
way in, but I'm lucky enough not to be getting hit nearly as hard as 
others are.)

Also, I've long disliked fail2ban and similar tools because it's too easy 
for legitimate users to get blocked.  But some variant might be 
appropriate, such as one that notifies the sysadmin and asks for approval 
before blocking.  (Though of course this adds more of the evil complexity 
that you rightly argue against.)

I've toyed with the idea of a system that not just penalizes failed 
logins, but also gives positive points for successful logins, so that it's 
harder for legitimate users to get blocked.  And of course, if blocking 
does happen, it should eventually expire.

fail2bban with knockd & whitelist

Posted May 15, 2008 0:04 UTC (Thu) by AnswerGuy (subscriber, #1256) [Link] 

I use fail2ban with a whitelist on port 22 and port knocking on two additional ports (with a
five port knock for each).

Thus I can be assured that I can still get in even if someone has spoofed failures from some
adress I'm using that's not on my whitelist.

I could just turn off port 22 on that server since I only ever use one of the alternatives.

The advantage of fail2ban or its ilk in this case is to prevent the bandwidth and CPU hit for
repeated brute force ssh attempts.  hiding the alternatives behind a knock sequence is even
more effective since the casual port scanners can't even find the running service.  If I see
brutish failures on one of the alternative ports then I can be certain that someone sniffed my
knock sequnce ... and change it.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 22:50 UTC (Wed) by nowster (subscriber, #67) [Link]

This seems to work very well. It limits the number of connections to the SSH port to three in any three minutes. It's based on a post here a few months ago.

# SSH
# Accept trusted hosts
iptables -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport ssh -j ACCEPT
iptables -A INPUT -s 172.16.0.0/14 -p tcp -m tcp --dport ssh -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport ssh -j ACCEPT

# For outsiders, rate-limit
iptables -A INPUT -p tcp -m tcp --dport ssh \
        -m state --state NEW \
        -m recent --hitcount 3 --seconds 180 --update -j DROP

iptables -A INPUT -p tcp -m tcp --dport ssh \
        -m state --state NEW \
        -m recent --set -j ACCEPT

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 16, 2008 6:50 UTC (Fri) by muwlgr (guest, #35359) [Link] 

Ubuntu has broken fail2ban in Hardy and I feel they won't upload the update till probably
v8.04.1. Bad luck for us Hardy users.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds