Mailinglist Archive: opensuse (1570 mails)

< Previous Next >
Re: [opensuse] Coordinated, distributed ssh attacks?
  • From: "David C. Rankin" <drankinatty@xxxxxxxxxxxxxxxxxx>
  • Date: Mon, 5 Oct 2009 01:08:00 -0500
  • Message-id: <200910050108.00920.drankinatty@xxxxxxxxxxxxxxxxxx>
On Sunday 04 October 2009 03:52:59 am Per Jessen wrote:
David C. Rankin wrote:
On Saturday 03 October 2009 06:21:32 am Per Jessen wrote:
Has anyone else noticed the wave of coordinated, distributed ssh
attacks? Since Sep30 around 2100CET, I see a login attempt about
a minute, but coming from different IP-addresses. Looks like a
coordinated attempt to circumvent the firewalls that block based on
too many unsuccessful attempts.



Have you moved ssh to a high port yet? If you do, all noise on your
ssh port will cease. Worth its weight in gold!

Until this distributed attack my regular method of blocking based on
number of attempts from a single IP has worked just fine, but yes, I've
now moved sshd to another port on all my external systems. The local
systems don't allow external ssh access.
I'm still considering moving to the no-password-login setup as Hans
Witvliet suggested. It's clearly the optimal solution, I'm just a
little concerned about the management when each server needs to "know"
about (need to have the key) each possible client.



That's the best part about it. On each host, just do

cd ~/.ssh
ssh-keygen -t dsa
cp id_dsa id_dsa.hostname

do the same thing for root but append an r to the end of the names

Next, collect you public keys in one location on a box that you can
from the lan. I just use ~/.pkeys. Then create an "authorized_keys" file that
contains all the public keys. I just use a small script placed in the same
directory as the keys that searches the directory and automatically adds any
new keys in the directory to an authorized_keys file and then distributes it
to the hosts on my network vi copy or rsync:

Another handy script for the clients is "rokey" (short for remove
offending key). If a box is reloaded, etc. and you need to remove the key from
your from ~/.ssh/known_hosts due to strict check being enabled, then just
simply type:

rokey key-number

Where key-number is the number in the error message on the terminal. (just
saves work;-)

Once you are all setup, then edit /etc/ssh/sshd_config and disable
challenge/response and password authentication and you are done. No more
password attempts will be allowed regardless of which port ssh is on. But, if
ssh is on a high port, then you don't even get anything in the logs :p

PasswordAuthentication no
ChallengeResponseAuthentication no

(don't forget the put your host/port combinations in either
/etc/ssh/ssh_config (system wide) or ~/.ssh/config at the user level.

Host alchemy
Port 22
Host archangel
Port 10201
Host arete
Port 10202
Host ecstasy
Port 10203
Host killerz
Port 22
Host dcrgx
Port 22

Yes the Port 22 defs are required, and you have to put Host on one line
Port on the following line. Then the port change is transparent for all
ssh,rsync,scp,etc.. work. With sftp, you still have to specify the port


This may have already been covered, but if you want to limit ssh access
members of a specific group, you can do something like this with the
AllowGroups parameter:

AllowGroups wheel

David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups