User: Password:
|
|
Subscribe / Log in / New account

SSH scanning

SSH scanning

Posted Feb 15, 2007 9:11 UTC (Thu) by ldo (guest, #40946)
In reply to: Linux botnets by smoogen
Parent article: Linux botnets

I wrote a script which continually scanned /var/log/messages for "invalid user" entries logged by sshd, and did a

iptables --append INPUT --source srcaddr -j DROP

which was removed after 10 minutes. Most of the scanners never came back after the 10 minutes.


(Log in to post comments)

SSH scanning

Posted Feb 15, 2007 9:44 UTC (Thu) by ahoogerhuis (subscriber, #4041) [Link]

# Accept trusted hosts
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport ssh -j ACCEPT

# For outsiders, rate-limit and enjoy
iptables -A INPUT -m recent -m state -p tcp -m tcp --dport ssh --state NEW --hitcount 3 --seconds 180 --update -j DROP
iptables -A INPUT -m recent -m state -p tcp -m tcp --dport ssh --set --state NEW -j ACCEPT

i.e. don't meddle in SSH from places we trust, for outsiders that DO need access, give them three attempts, otherwise it's the doghouse for a few minutes. Simple, very effective.

-A

SSH scanning

Posted Feb 15, 2007 10:51 UTC (Thu) by bkoz (guest, #4027) [Link]

Thanks for the iptables hackery. This is the #1 issue I see in my logs.

SSH scanning

Posted Feb 15, 2007 16:19 UTC (Thu) by nowster (subscriber, #67) [Link]

Order is important in these iptables commands. The commands in the parent appear to match on any traffic. Use instead:

# Accept trusted hosts
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport ssh -j ACCEPT

# For outsiders, rate-limit and enjoy
iptables -A INPUT -p tcp -m tcp --dport ssh \
        -m state --state NEW \
        -m recent --hitcount 3 --seconds 180 --update -j DROP

iptables -A INPUT -p tcp -m tcp --dport ssh \
        -m state --state NEW \
        -m recent --set -j ACCEPT

SSH scanning - fail2ban

Posted Feb 15, 2007 12:10 UTC (Thu) by DG (subscriber, #16978) [Link]

alternatively try fail2ban (on ubuntu/debian)

SSH scanning

Posted Feb 15, 2007 15:02 UTC (Thu) by nix (subscriber, #2304) [Link]

Why not just turn off password-authentication on your Internet-facing SSHen? Stick to challenge-response and you'll be safe from all these scanners (modulo major holes in sshd itself, which are rare.)

challenge-response on ssh

Posted Feb 15, 2007 23:52 UTC (Thu) by ccyoung (guest, #16340) [Link]

how? is there a package? or does it require real work?

challenge-response on ssh

Posted Feb 20, 2007 20:47 UTC (Tue) by nix (subscriber, #2304) [Link]

Well, ChallengeResponseAuthentication == public-key authentication and/or
use of OPIE, RSA SecurID, or some other one-time authentication system
(some of which OpenSSH has native support for).

SSH scanning

Posted Feb 15, 2007 16:29 UTC (Thu) by stevan (subscriber, #4342) [Link]

The blacklist.py python script
(http://blinkeye.ch/mediawiki/index.php/SSH_Blocking) works extremely well
for manging ssh scans, in our experience. The answer, though, is, of
course, keyed-only ssh access.

S

SSH scanning

Posted Feb 15, 2007 16:30 UTC (Thu) by kh (subscriber, #19413) [Link]

I have been happy with denyhosts

SSH scanning -- solutions

Posted Feb 16, 2007 2:28 UTC (Fri) by smoogen (subscriber, #97) [Link]

Thanks for everyone putting up various solutions.. they should make interesting grumpy old security admin articles some day.

They will also be handy for the admin who at 2am has to fix this problem and does a google search.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds