[Bug 230160] New: New security feature to block SSH attacks
https://bugzilla.novell.com/show_bug.cgi?id=230160 Summary: New security feature to block SSH attacks Product: openSUSE 10.3 Version: unspecified Platform: All OS/Version: SuSE Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: atte.nieminen@cs.helsinki.fi QAContact: qa@suse.de Suse has been implementing new stuff all the time, but one crucial feature has been missing from the great distridution. Its the easy SSH configuration tool. This request also includes a feature to block bruteforce attacks. Number of brute-force SSH attempts can sometimes climb up to 300 per day. There are unofficial scripts and programs to solve things, but no supported and official suse tools. Not only should there be easy way to disable root-login and other options, but the security features should be updated ASAP. SSH attacks are nowadays a huge problem. If users use strong passwords and the system is configured the right way, no hacker can access the system. But still they are trying in by knocking on the ssh port. If one opens the SSH port from the firewall one will sooner or later discover that bots try to access the system by using dictionary attacks. Here are examples from the logs (less var/log/messages | grep sshd ) Aug 30 15:39:19 linux sshd[10923]: Invalid user staff from a.b.c.d Aug 30 15:39:22 linux sshd[10925]: Invalid user sales from a.b.c.d Aug 30 15:39:25 linux sshd[10927]: Invalid user recruit from a.b.c.d Aug 30 15:39:28 linux sshd[10929]: Invalid user alias from a.b.c.d Dec 21 05:29:18 linux sshd[28969]: reverse mapping checking getaddrinfo for whatever.com failed - POSSIBLE BREAKIN ATTEMPT! To solve the problem (which most users even dont know of) a thirdparty unofficial unsupported blocktool like blockhosts ( http://www.aczoom.com/cms/blockhosts/) needs to installed. So in order to continue to satisfy users needs, there should a a) easy configuration tool for ssh b) new "module" in firewall to block automatically hacking attemps to get the situation fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=230160 lkundrak@redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lkundrak@redhat.com ------- Comment #1 from lkundrak@redhat.com 2006-12-21 05:50 MST ------- (In reply to comment #0)
Its the easy SSH configuration tool. This request also includes a feature to block bruteforce attacks. Number of brute-force SSH attempts can sometimes climb up to 300 per day. There are unofficial scripts and programs to solve things, but no supported and official suse tools.
Actually SSH prevents breakin with automated tools: it just doesn't allow user to login. In my humble opinion this is the only correct way to handle the situation. I'd even call blocking IP adresses with excessive amount of unsuccessful logins a DoS, because blocking an address that is shared by hosts behind a NAT-ing router would also likely affect innocent hosts.
SSH attacks are nowadays a huge problem. If users use strong passwords and the system is configured the right way, no hacker can access the system. But still they are trying in by knocking on the ssh port. If one opens the SSH port from the firewall one will sooner or later discover that bots try to access the system by using dictionary attacks.
I do not see the real problem here. Weak passwords are allways a problem and can not be solved with any software feature.
To solve the problem (which most users even dont know of) a thirdparty unofficial unsupported blocktool like blockhosts ( http://www.aczoom.com/cms/blockhosts/) needs to installed.
Some people prefer to use http://denyhosts.sourceforge.net/
So in order to continue to satisfy users needs, there should a a) easy configuration tool for ssh b) new "module" in firewall to block automatically hacking attemps to get the situation fixed.
I agree the GUI configuration tool might be really nice. But I see no point in filtering unsuccessful login attempts. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=230160 ------- Comment #2 from krahmer@novell.com 2007-01-03 08:21 MST ------- They might also put the box at risk. It seems that most of these tools rely on the syslog file and parse it for sshd entries. This can easily be fooled. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=230160 ------- Comment #3 from suse-beta@cboltz.de 2007-03-25 15:57 MST ------- FYI: Since 10.2, SuSEfirewall2 can help with this by using ipt_recent. Just use something like FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh" Advantage: it uses iptables, so you don't need another daemon. Disadvantage: ipt_recent does not differ bitween successful and failed logins - so it might be DoS-like also. BTW: I have also noted some attackers trying FTP logins... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=230160 thomas@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Comment #4 from thomas@novell.com 2007-05-21 06:06 MST ------- I think there is no need to discuss this further... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com