| |||||||||||||
Distributed brute force ssh attacksDistributed brute force ssh attacksPosted Oct 23, 2009 5:54 UTC (Fri) by DG (subscriber, #16978)Parent article: Distributed brute force ssh attacks
I've got to the point where SSH is blocked for everyone by default, and to access it users have to authenticate via a web application. This copes with the fact users change their end IP address every so often, and allows me to open different ports for different users.
We wrote http://firewalle.palepurple.co.uk as I couldn't seem to find anything out there that did this already. A cron job just rebuilds an iptables chain each minute or something.
(Log in to post comments)
Distributed brute force ssh attacks Posted Oct 23, 2009 15:34 UTC (Fri) by nix (subscriber, #2304) [Link] I've got to the point where SSH is blocked for everyone by default, and to access it users have to authenticate via a web application.This seems terribly inconvenient compared to cryptographic authentication, and no more secure.
Distributed brute force ssh attacks Posted Oct 23, 2009 18:27 UTC (Fri) by bronson (subscriber, #4806) [Link]
But cryptographic authentication is terribly inconvenient! I had to do key management for a mere 5 person dev team in the past -- it got tedious fast.
At least DG's solution pushes the work to the leaves, potentially reducing the work for the ssh admins.
Distributed brute force ssh attacks Posted Oct 23, 2009 22:24 UTC (Fri) by dododge (subscriber, #2870) [Link] One way I've seen this done in a corporate environment is to have a web page that uses token-based authentication such as SecurID to identify you. If you pass that, it immediately updates the firewall to allow your IP to access the other servers such as mail, ssh, etc. (which all normally require their own authentication as well). The firewall rule then auto-expires if your IP goes idle for too long.
Distributed brute force ssh attacks Posted Oct 24, 2009 19:47 UTC (Sat) by dmk (subscriber, #50141) [Link]
for small usage sites there is also portknocking:
http://www.portknocking.org/
which scans access-patterns to closed ports and reacts to it.
Distributed brute force ssh attacks Posted Oct 24, 2009 19:51 UTC (Sat) by DG (subscriber, #16978) [Link]
Yes - portknocking is fine for technically able users - I somehow doubt I'd be able to get a random end user to telnet (or whatever) to a couple of ports before they could connect via SSH.
Having to "Log into a firewall" seems much easier for them to grasp - there is no need for them to install any software or do anything 'new'.
Distributed brute force ssh attacks Posted Oct 25, 2009 11:21 UTC (Sun) by oak (subscriber, #2786) [Link]
You could provide users a script that does the port-knocking or "firewall
login" for them + a desktop icon for the script.
And then use a modified denyhosts to monitor failed ssh login attempts
Distributed brute force ssh attacks Posted Oct 25, 2009 14:41 UTC (Sun) by DG (subscriber, #16978) [Link]
Yes - this could work - however it requires distribution of software; my/our approach doesn't....
Each to their own; I'm sure many solutions are better than one :)
|
|||||||||||||