LWN: Comments on "Creating an SSH honeypot"

Creating an SSH honeypot

janoszen — Tue, 06 Apr 2021 13:09:55 +0000

You can do that too, micro VMs such as Firecracker can be used to that effect.

Creating an SSH honeypot

janoszen — Tue, 06 Apr 2021 13:09:51 +0000

(Dev here) You can, ContainerSSH just takes a different approach and takes care of locking the "attacker" in a container (or a microVM if you set it up that way).

Creating an SSH honeypot

smurf — Wed, 24 Mar 2021 13:40:15 +0000

It buys you protection from a DoS attack that forks ten gazillion ssh daemons and loads down your gateway box. These do exist.

Creating an SSH honeypot

nix — Tue, 23 Mar 2021 23:38:57 +0000

What does this buy you over just turning on ChallengeResponseAuthentication, turning off PasswordAuthentication, and ignoring the fruitless attacks? (They hardly use any bandwidth because they always seem to try possibilities sequentially, though I suppose if you're right at the limit of your bandwidth plan you might just notice it.)

Creating an SSH honeypot

smurf — Sun, 21 Mar 2021 11:28:50 +0000

The "in conjunction with appropriate firewall rules" part is important though, you want to limit the number of open connections. pam_recent kicks in too late to catch a well-written DoS attempt.

nonstandard SSH port

giraffedata — Sun, 21 Mar 2021 03:20:03 +0000

My anecdote: I too have been using a nonstandard SSH port for about 10 years and have seen zero attacks except about two years ago there was an onslaught of password guesses that went on for several months. It was the kind where the guesses come in infrequently from lots of sources, the idea being to try password X on a thousand machines rather than try a thousand passwords on machine X; i.e. it wasn't someone targeting my server in particular.

At first I thought hacking technology had just advanced to where my trick wouldn't work anymore; I was pleased to see the attacks stop.

Creating an SSH honeypot

metalheart — Fri, 19 Mar 2021 17:42:17 +0000

Why not use Linux Auditing System to log those activities?

Creating an SSH honeypot

dtlin — Fri, 19 Mar 2021 05:49:01 +0000

That's why I like pam_recent, which (in conjunction with appropriate firewall rules) can start rate-limiting connections as soon as they try to connect, instead of waiting for sshd to log.

Creating an SSH honeypot

dskoll — Thu, 18 Mar 2021 18:39:48 +0000

You can configure the ban/unban actions, so with the right setup, you can do what you need. It's a bit of a pain to do safely and securely, but certainly not impossible.

Creating an SSH honeypot

jschrod — Thu, 18 Mar 2021 16:47:56 +0000

It's been some time when I looked at fail2ban.

Is it now supported out-of-the-box to issue iptables/nftables command on a different server, as a reaction to an detected break in attempt?

The use case is a firewall in front of several boxes that allow ssh access. If fail2ban detects a break-in attempt in one of those boxes, the rules shall be changed on the firewall. Blocking access just on this specific box is not sufficient.

Creating an SSH honeypot

dskoll — Tue, 16 Mar 2021 13:01:04 +0000

Almost any network server is vulnerable to this sort of attack; surely SSH has a configuration setting somewhere to close the socket if the client doesn't do anything for a while? Seems to me LoginGraceTime might do the trick here.

And yes, clients can dribble data slowly over a connection to tie up a child process, but again... any network server is vulnerable to this and it's a pretty well-known attack.

Creating an SSH honeypot

gdt — Mon, 15 Mar 2021 12:58:30 +0000

Another useful tactic is to exclusively bind sshd to an additional random IPv6 interface identifier (an interface ID is the least significant 64 bits of the IPv6 address). An interface can hold multiple IPv6 interface IDs without fuss. This gives a search space of 2⁶³, which is ~10¹⁴ more than the search space of 2¹⁶ for TCP ports.

Because this is an additional address used solely for incoming SSH the usual operation of the computer doesn't leak beyond the subnet a useful address for a SSH brute force attempt.

This tactic retains the ability to have a DNS name for the SSH service, which can be sometimes be useful.

Creating an SSH honeypot

Sesse — Sun, 14 Mar 2021 23:24:56 +0000

There are bots that operate like this. Surprisingly many of them.

Creating an SSH honeypot

flussence — Sun, 14 Mar 2021 20:17:03 +0000

An anecdote about port numbering: I've been doing this for at least 10 years and IIRC I've had zero unwanted SSH connections as a result (compared to SMTP, which gets one every few minutes). Surprisingly effective, I'd recommend doing it for other services where SRV records are the norm too.

Creating an SSH honeypot

k8to — Sun, 14 Mar 2021 03:29:07 +0000

Though this problem isn't really caused by fail2ban, it's just that fail2ban doesn't assist against this type of denial-of-service. So I don't view this as a fail2ban issue, just a thing it doesn't handle for you.

Since fail2ban is designed mostly to just cut off bot attacks, it seems not that big a deal to me. If you want to handle more active attackers you should be taking other approaches at least in addition.

Creating an SSH honeypot

Sesse — Sat, 13 Mar 2021 16:03:38 +0000

fail2ban has a critical issue with SSH, though; if someone just connects to port 22 and then hangs, you can quickly eat up the number of SSH children without fail2ban ever noticing (because sshd never logs this).

Creating an SSH honeypot

jak90 — Sat, 13 Mar 2021 13:32:30 +0000

Even if I prefer to whitelist access to port 22 to a few safe addresses and networks (which on most servers contains the whole IPv6 address space), I wish there was a fail2ban plugin that could simply extend IP bans to the whole allocation or even all networks belonging to an AS if it contains more than one or two bad apples.

Creating an SSH honeypot

gps — Sat, 13 Mar 2021 08:05:03 +0000

Don't forget about fail2ban on your actual ssh servers... And to go clean out the infinitely growing fail2ban database of every compromised address that has probed you on the internet every now and then...

Creating an SSH honeypot

Trou.fr — Fri, 12 Mar 2021 15:24:16 +0000

A trivial thing to implement and which can help against mistakes: whitelisting the users allowed to connect through ssh by allowing only a specific group:

AllowGroups sshok

so your test user you're creating for "just a quick check", will not be allowed to connect.

Creating an SSH honeypot

pabs — Fri, 12 Mar 2021 05:41:37 +0000

This reminds me of SourceForge's highly restricted SSH setup, although I think they use virtual machines instead of containers.