Advertisement
GStreamer Conference 2013, 22-23 Oct, Edinburgh
GStreamer, Embedded Linux, Android, VoD, Smooth Streaming, DRM, RTSP, HEVC, PulseAudio, OpenGL. Register now to attend.
Weekly Edition
Return to the Security page
| |||||||||||||
Distributed brute force ssh attacksBrute force password-guessing attacks against ssh are all too common these days. But, various countermeasures can be used to blunt their impact. A recent discussion on the freebsd-hackers mailing list looks at the problem and some solutions. Ssh is generally the tool of choice for connecting to remote servers and it is rare that it is disabled on any true multi-user, network-connected machine. Typically, it is configured such that users need to log in with their normal username/password pair. But, since users often use poorly-chosen passwords—and usernames are relatively easily guessed—trying a large number of combinations of credentials will often gain unauthorized access. In addition, most Linux (or UNIX, for that matter) machines have several known usernames that can be tried ("root", "news", "mail", etc.), which can reduce the search space significantly. Of course, gaining access to the root account compromises the entire system, so many ssh installations do not allow root to log in via ssh. In fact, disabling root logins (using "PermitRootLogin no" in /etc/ssh/sshd_config) is generally one of the first suggestions for making ssh more secure. Another countermeasure against these kinds of attacks is turning off password authentication entirely, which can be done using "PasswordAuthentication no" in the configuration file. In that case, only users who have installed public keys for the hosts and accounts they wish to use to log in will be allowed. That completely eliminates the possibility of password guessing attacks, but does require that users protect the corresponding private keys. An attacker who gains access to the private key can immediately log in as the user. A brute force attempt on a server generally leaves an audit trail in a server's log files, which can be used by an administrator to block the offending IP address. Of course, attackers quickly recognized that repeatedly trying passwords from a single address was likely to result in either being blocked or being caught by the authorities. So, distributed brute force attacks were born. In a distributed attack, multiple hosts—quite possibly members of a botnet of some kind—attack multiple victim machines so that there are many more addresses to block. In addition, those addresses change frequently, so an administrator needs some kind of automated tool to keep up. Enter DenyHosts and other, similar tools, such as Fail2ban. The basic idea behind these tools is that they scan various log files for evidence of a brute force attack. Once they find an offending IP address—based on various criteria—they update firewall or other access-control configurations to deny access from those addresses. Essentially, they automatically ban the addresses of hosts participating in these distributed brute force attacks. There is a balance to be struck in terms of the criteria used to determine "bad" hosts. Denying access to legitimate users—who forget their password or try to log in from a host without the right private key—needs to be avoided. Typically, hosts that do not misbehave for some period of time will age off the bad host list, but legitimate users are unlikely to be willing to wait that long. On the other hand, setting the criteria too high will still allow too many attempts from attack hosts before they get stopped. In addition, with the size of today's botnets, there may be no reason for a particular address to make more than one attempt per hour, or day, which will generally fly under the radar of most configurations. But, DenyHosts turns the tables on distributed attacks, by collecting distributed data itself—from many different hosts in what is called "synchronization mode". Basically, a central server collects information from DenyHosts's users on which IP addresses they have determined to be bad. That information can then be used by other DenyHosts installations to effectively ban addresses that have not yet attacked them, but are currently attacking other DenyHosts users. There are dangers to this approach, of course, and it still may not catch the largest botnets where individual IP addresses never quite reach the thresholds required to ban them, but it can help. The standard problems with blacklists and false positives certainly apply, and one could imagine all kinds of havoc that could come from malicious DenyHosts installations, but it is one way to leverage the data from multiple victims. A further refinement might be to provide the raw failure data, rather than just the bad IP addresses filtered by each site's failure criteria, to the central server. That server could then correlate single attack attempts on multiple hosts to more easily catch the larger botnets. Much like the spam problem, brute force ssh attacks are a kind of arms race. Administrators will need to change tactics periodically as the types of attacks change. Turning off password authentication is not possible for all installations—and still doesn't get rid of the log file mess that brute force attacks leave behind—so techniques like DenyHosts's synchronization mode will, unfortunately, be needed for the foreseeable future. (Log in to post comments)
Distributed brute force ssh attacks Posted Oct 22, 2009 10:16 UTC (Thu) by ikm (subscriber, #493) [Link]
Isn't it better to just audit bad passwords on the server side? If all passwords are relatively strong (e.g. no "mike:mike", "mike:123" and so on exist), then there should be no harm from those attacks, except for extra traffic and cpu consumption to handle all the requests.
Password auditing isn't reliable Posted Oct 22, 2009 17:04 UTC (Thu) by copsewood (subscriber, #199) [Link]
Password auditing is difficult if users are allowed to choose their own passwords. It's true you can use tools such as Crack to do this, but if your popular password list isn't the same as the one used by your attacker, a password that looks strong to your tools might well be weak to an attacker. E.G, your user's weak password might be a popular password in a language you don't speak and which those compiling your Crack password dictionary don't know about. Fine if you have access to the same auditing tools as your attackers have for attacking you, but it certainly isn't safe to assume that you do. It seems to me better either to generate random passwords for the users, or choose good ones for them they should be able to remember based on what you know about them which attackers are unlikely to know or guess.
Distributed brute force ssh attacks Posted Oct 22, 2009 10:25 UTC (Thu) by Tuxie (guest, #47191) [Link]
Why not just make each try slower after each fail?
After first fail, the second try will take 2 seconds (plus the time it normally takes). The third try will take 4 seconds. The fourth 8 seconds, and so on...
Distributed brute force ssh attacks Posted Oct 22, 2009 10:54 UTC (Thu) by ikm (subscriber, #493) [Link]
Problem is, each new attempt is made from a different IP. Therefore you can't determine if a particular request is a successive attempt or a new, unrelated login.
Distributed brute force ssh attacks Posted Oct 22, 2009 13:13 UTC (Thu) by Felix.Braun (subscriber, #3032) [Link]
On my server I still see lots of attempts coming from the same IP-address. I presume the individual drones of a botnet don't coordinate their attacks, so they wouldn't be able to achive a sufficient attack rate per minute to brute-force the passwords.
Unrelated IP addresses Posted Oct 22, 2009 22:05 UTC (Thu) by man_ls (guest, #15091) [Link] Then delay the failures (even from unrelated IP addresses), but not successful logins. And add a max time of, say, 20s. If you enter your password wrong then you suffer a penalization of at most 20 seconds; if you do it right then you enter immediately. This should be enough to make brute force attacks impractical.
Unrelated IP addresses Posted Oct 22, 2009 22:14 UTC (Thu) by ikm (subscriber, #493) [Link]
No, I'm afraid this won't hinder distributed attacks a lot. Each bot is probing a lot of different servers simultaneously, but for each server it tries e.g. one login per hour. That's the idea behind distributed brute force attacks. The 20s penalization won't change anything much -- albeit it would perhaps make bots consume more resources (tcp connections stay open longer, probing processes sleep and exist longer).
Unrelated IP addresses Posted Oct 24, 2009 14:45 UTC (Sat) by NAR (subscriber, #1313) [Link]
I think a brute force attack with one attempt per hour is not a problem if the passwords are at least half-decent. The password will expire long before the brute force attack succeeds.
Unrelated IP addresses Posted Oct 24, 2009 15:38 UTC (Sat) by ikm (subscriber, #493) [Link]
Multiply by 1000 nodes and you get 1000 attempts per hour.
I think though, too, the password lists are limited to some most common passwords only (e.g. 123, qwerty and so on). I think in that sense server-side password auditing would be enough to secure the host.
Unrelated IP addresses Posted Oct 26, 2009 16:07 UTC (Mon) by giraffedata (subscriber, #1954) [Link] Multiply by 1000 nodes and you get 1000 attempts per hour. And divide that by 1000 nodes and you get 1 attempt per hour, and since my actions will secure 1 of the 1000 nodes, that's the number that matters for me. I think we're talking about two kinds of hacks: 1) someone wants into my system; 2) someone wants into any system. In (2), there's no reason for the hacker to hit my system frequently, but there's also correspondingly less chance he'll get into my system. Hey another statistical reality: the user's password change interval is irrelevant to the probability of successfuly guessing. The expected number of guesses it takes is the same no matter how many how times the password changes while the guessing is going on.
Unrelated IP addresses Posted Oct 26, 2009 19:19 UTC (Mon) by ikm (subscriber, #493) [Link]
We're talking about the same kind of attack: someone wants into your system. It's YOUR host which gets probed 1000 times per hour. It's just that it's done by 1000 different machines simultaneously -- each of which probing only once an hour.
Unrelated IP addresses Posted Oct 26, 2009 19:35 UTC (Mon) by NAR (subscriber, #1313) [Link]
But after the third try, the user will be locked out for 2 minutes, so the next 33 tries will be in vain, even if the attacker would guess the right password...
Unrelated IP addresses Posted Oct 26, 2009 19:45 UTC (Mon) by ikm (subscriber, #493) [Link]
That does make sense. Though you'd have to combine it with IP-based banning too. Otherwise it'd be really easy to DoS a specific person one happens to dislike, and also bots tend to try many different user names, not just one over and over again.
Unrelated IP addresses Posted Oct 26, 2009 22:26 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
but the attacking IP address doesn't try again for 60 min, so it's not affected by your block.
unless you say you are locking the _user_ out from any IP address for 2 min.
if that's the case an attacker will just DOS you so that you can't login to the box yourself.
Unrelated IP addresses Posted Nov 2, 2009 12:16 UTC (Mon) by robbe (subscriber, #16131) [Link]
Penalising just the wrong attempts won't work. If a successful attempt
normally gives an ACK after 1s, the attacker won't bother to hang around for your NACK if you delay it for 5s or 60s or whatever. Therefore all decent systems delay *both* answers.
You probably have to limit the delay to one minute or less, or your
Distributed brute force ssh attacks Posted Oct 22, 2009 21:00 UTC (Thu) by shane (subscriber, #3335) [Link]
That may or may not be a good idea, but today you can do "aptitude install denyhosts" on any Debian or Ubuntu system and have SSH brute-force protection in a couple of minutes.
We've got over 550 IP addresses blocked in the last couple of months on a server I share with some friends.
Distributed brute force ssh attacks Posted Oct 25, 2009 11:46 UTC (Sun) by cortana (subscriber, #24596) [Link]
Why doesn't openssh have this kind of feature built in by default? I've always been put off tools such as denyhosts or its alternatives because they seem, well, a bit hacky.
You have to have a process continuing to run in the background; if it somehow crashes then you lose the protection.
They work by tailing /var/log/auth.log. That requires you to have configured syslog to log to the right place, and you have to be careful to synchronise the reloading of the log file with any log rotation that takes place.
ISTR a bug a while back where a remote attacker could take control of the tool by using a specially crafted user name, to exploit a bug in the regular expression parsing library that the program used.
I'd feel much safer if the mechanism for detecting these kind of attacks was built into OpenSSH itself, leaving the policy up to third party plugins.
Distributed brute force ssh attacks Posted Oct 25, 2009 22:50 UTC (Sun) by jordanb (guest, #45668) [Link]
I use iptables. I suppose my ssh protection rules could be flushed, but it's nothing like having a daemon die.
Distributed brute force ssh attacks Posted Nov 17, 2009 8:34 UTC (Tue) by Brenner (subscriber, #28232) [Link]
> You have to have a process continuing to run in the background; if it somehow crashes then you lose the protection.
With DenyHosts, you do not have to have a daemon running. You do not even have to use or change iptables rules. You can do all you want with tcpwrappers using the relatively unknown spawn feature.
If ssh comes from an authorized IP (listed in /etc/hosts.allow): allow sshd to ask password.
It boils down to
This works very well and looks pretty clean to me.
Reference:
Best Regards,
Distributed brute force ssh attacks Posted Oct 22, 2009 13:51 UTC (Thu) by mosfet (guest, #45339) [Link] Why not set the ssh port to something >10k and tell your users the port #? Works for me. Nobody seems to scan for a non-default ssh port (at least not for unpopular sites). But every default ssh port gets attacked.
One method- Distributed brute force ssh attacks Posted Oct 22, 2009 17:52 UTC (Thu) by dlapine (guest, #7358) [Link]
Simple enough- setup 1 extra machine that is exposed to the same environment as the machines you'd like to protect, but allow no user logins. Configure the box to track all attempts to log in. Voila- all ip's you capture are bogus (save for the occasional user typo) and can be blocked on your other nodes. Yes, with a large enough botnet pool, every attempt on separate nodes in your network could be done with unique bot, but I don't think the hack has advanced that far as of yet.
Even better, combine this with mosfet's suggestion, and move all the "real" nodes to port other than the standard ssh ones.
Distributed brute force ssh attacks Posted Oct 23, 2009 0:20 UTC (Fri) by smoogen (subscriber, #97) [Link]
This used to work, but some of the botnets have gotten to scanning ports 0-65536 slowly to see what's up. They then come back later at your high port. Thankfully its not a lot of them, but my guess is that at some point every botnet will have the logic in it.
Distributed brute force ssh attacks Posted Oct 23, 2009 17:55 UTC (Fri) by clugstj (subscriber, #4020) [Link]
I changed from port 22 to port 443 for SSH on my home machine and haven't seen any brute force attacks on it since. (It's been a couple of years now).
Oddly enough, I had to change it because my employer started blocking outgoing connects to port 22. I think they only allow 80 and 443 now.
Distributed brute force ssh attacks Posted Oct 30, 2009 9:57 UTC (Fri) by xoddam (subscriber, #2322) [Link]
> my employer started blocking outgoing connects to port 22
That's just sad. I hope you work somewhere sane now.
Distributed brute force ssh attacks Posted Oct 23, 2009 5:54 UTC (Fri) by DG (subscriber, #16978) [Link]
I've got to the point where SSH is blocked for everyone by default, and to access it users have to authenticate via a web application. This copes with the fact users change their end IP address every so often, and allows me to open different ports for different users.
We wrote http://firewalle.palepurple.co.uk as I couldn't seem to find anything out there that did this already. A cron job just rebuilds an iptables chain each minute or something.
Distributed brute force ssh attacks Posted Oct 23, 2009 15:34 UTC (Fri) by nix (subscriber, #2304) [Link] I've got to the point where SSH is blocked for everyone by default, and to access it users have to authenticate via a web application.This seems terribly inconvenient compared to cryptographic authentication, and no more secure.
Distributed brute force ssh attacks Posted Oct 23, 2009 18:27 UTC (Fri) by bronson (subscriber, #4806) [Link]
But cryptographic authentication is terribly inconvenient! I had to do key management for a mere 5 person dev team in the past -- it got tedious fast.
At least DG's solution pushes the work to the leaves, potentially reducing the work for the ssh admins.
Distributed brute force ssh attacks Posted Oct 23, 2009 22:24 UTC (Fri) by dododge (subscriber, #2870) [Link] One way I've seen this done in a corporate environment is to have a web page that uses token-based authentication such as SecurID to identify you. If you pass that, it immediately updates the firewall to allow your IP to access the other servers such as mail, ssh, etc. (which all normally require their own authentication as well). The firewall rule then auto-expires if your IP goes idle for too long.
Distributed brute force ssh attacks Posted Oct 24, 2009 19:47 UTC (Sat) by dmk (subscriber, #50141) [Link]
for small usage sites there is also portknocking:
http://www.portknocking.org/
which scans access-patterns to closed ports and reacts to it.
Distributed brute force ssh attacks Posted Oct 24, 2009 19:51 UTC (Sat) by DG (subscriber, #16978) [Link]
Yes - portknocking is fine for technically able users - I somehow doubt I'd be able to get a random end user to telnet (or whatever) to a couple of ports before they could connect via SSH.
Having to "Log into a firewall" seems much easier for them to grasp - there is no need for them to install any software or do anything 'new'.
Distributed brute force ssh attacks Posted Oct 25, 2009 11:21 UTC (Sun) by oak (guest, #2786) [Link]
You could provide users a script that does the port-knocking or "firewall
login" for them + a desktop icon for the script.
And then use a modified denyhosts to monitor failed ssh login attempts
Distributed brute force ssh attacks Posted Oct 25, 2009 14:41 UTC (Sun) by DG (subscriber, #16978) [Link]
Yes - this could work - however it requires distribution of software; my/our approach doesn't....
Each to their own; I'm sure many solutions are better than one :)
Not blocking ssh for root, but for all others Posted Oct 25, 2009 20:01 UTC (Sun) by kruemelmo (subscriber, #8279) [Link]
For remote maintenance, we use to block ssh for all normal users, only root is allowed. Root has an extra strong password. I cannot think of a broute-force attack which is able to break in. Maintenance is simple and the users' self-choosen password's strength does not affect external ssh.
Not blocking ssh for root, but for all others Posted Oct 26, 2009 15:54 UTC (Mon) by giraffedata (subscriber, #1954) [Link] I block root, but have another username that maps to uid 0. It works fine and I don't even need an inconvenient password.
|
|||||||||||||