I'm sure most people have seen tons of invalid SSH login attempts by some fairly new cracking program that guesses userid's and passwords. The problem is getting worse and more frequent. I was wondering if there is any way to configure SSH to block an IP after a certain number of invalid logins, for a certain amount of time. (i.e. after 5 bad logins, block the IP for a hour). Or maybe there is a IDS that can do that? I looked at snort and can't find anything about SSH. BTW, I'm aware of other ways to make SSH more secure, like not allowing password authentication and only allowing RSA/DSA keys, changing the port SSH listens on, port knocking, etc. I just thought that automatic IP blocking, like I ask about above, would be a good idea under some circumstances. - BS
I use LoginGraceTime 5s MaxAuthTries 2 MaxStartups 1 in my /etc/ssh/sshd_config file. I have been considering iptables for rate limiting. I am unaware of any address-based blocking arrangement predicated on invalid login attempts.
Bruce Smith wrote:
I'm sure most people have seen tons of invalid SSH login attempts by some fairly new cracking program that guesses userid's and passwords. The problem is getting worse and more frequent.
I was wondering if there is any way to configure SSH to block an IP after a certain number of invalid logins, for a certain amount of time. (i.e. after 5 bad logins, block the IP for a hour).
Or maybe there is a IDS that can do that? I looked at snort and can't find anything about SSH.
BTW, I'm aware of other ways to make SSH more secure, like not allowing password authentication and only allowing RSA/DSA keys, changing the port SSH listens on, port knocking, etc. I just thought that automatic IP blocking, like I ask about above, would be a good idea under some circumstances.
You can use the iptables "recent" module. Simply filter on new SYN packets to the SSH port and add the bad guy whenever he opens more than X connections in Y seconds to SSH. Stops em dead. You mustn't do it yourself of course. http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.h... You'll need to roll your own firewall rules if you don't already. (Unless it is now possible to inject such things in SuSEFirewall2, I don't know, haven't looked at SuSEFirewall in the last 3-4 years :-) ) Also putting SSH on another port than 22 also works. HTH. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
You can use the iptables "recent" module. Simply filter on new SYN packets to the SSH port and add the bad guy whenever he opens more than X connections in Y seconds to SSH. Stops em dead. You mustn't do it yourself of course.
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.h...
You'll need to roll your own firewall rules if you don't already. (Unless it is now possible to inject such things in SuSEFirewall2, I don't know, haven't looked at SuSEFirewall in the last 3-4 years :-) )
Thanks for all the replies! I've found setting "MaxAuthTries 2" with a combination of the iptables rules works great! I can hardly wait to get attacked again to watch it work. ;-) The only problem is iptables can't tell the difference between a sucessful login and a failed login, but that's not usually a problem as long as I don't open a bunch of SSH connections all at once. I'll check into swatch when I get time, but for now I'll share the iptables rules I ended up with with this list as my thanks to everyone. This will block any IP for 60 seconds that tries to connect 5 or more time in a one minute time frame (along with logging it). It's easy to test, just login multiple times and ALL the connections will freeze for awhile when you hit the login limit: iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -m recent --name sshattack --set iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j DROP - BS
Bruce Smith wrote:
You can use the iptables "recent" module. Simply filter on new SYN packets to the SSH port and add the bad guy whenever he opens more than X connections in Y seconds to SSH. Stops em dead. You mustn't do it yourself of course.
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.h...
You'll need to roll your own firewall rules if you don't already. (Unless it is now possible to inject such things in SuSEFirewall2, I don't know, haven't looked at SuSEFirewall in the last 3-4 years :-) )
Thanks for all the replies! I've found setting "MaxAuthTries 2" with a combination of the iptables rules works great! I can hardly wait to get attacked again to watch it work. ;-)
The only problem is iptables can't tell the difference between a sucessful login and a failed login, but that's not usually a problem as long as I don't open a bunch of SSH connections all at once.
You could use "screen" to avoid that. It's really a useful tool and like every useful tool I can hardly imagine how I managed to get away without it for several years ;-) The only downside is that it adds another SUID-binary. cheers, Rainer -- =================================================== ~ Rainer Duffner - rainer@ultra-secure.de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ ===================================================
Bruce Smith wrote:
You can use the iptables "recent" module. Simply filter on new SYN packets to the SSH port and add the bad guy whenever he opens more than X connections in Y seconds to SSH. Stops em dead. You mustn't do it yourself of course.
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.h...
You'll need to roll your own firewall rules if you don't already. (Unless it is now possible to inject such things in SuSEFirewall2, I don't know, haven't looked at SuSEFirewall in the last 3-4 years :-) )
Thanks for all the replies! I've found setting "MaxAuthTries 2" with a combination of the iptables rules works great! I can hardly wait to get attacked again to watch it work. ;-)
Just login and press immediately CTRL-D a bunch of times. Works like a charm :-)
The only problem is iptables can't tell the difference between a sucessful login and a failed login, but that's not usually a problem as long as I don't open a bunch of SSH connections all at once.
That is true. It might become a problem if you do lots of SCP though. However that should be further distinguishable by the TOS field. I personally don't like the log-watch approach. It can bettter distinguish the brute-forcers from legitimate SSH users but it is one more daemon to run, works on the logfile (which means special handling for log rotation) and must run as root in order to manipulate the firewall rules. Whereas the recent module is in the kernel for quite some time now and the firewall is there anyway and does not require any intervention from me to start something else. It also does not change my firewall rules without my intervention, though that is a minor point. Btw. you can also make a port-knocking scheme with ipt_recent.
I'll check into swatch when I get time, but for now I'll share the iptables rules I ended up with with this list as my thanks to everyone. This will block any IP for 60 seconds that tries to connect 5 or more time in a one minute time frame (along with logging it). It's easy to test, just login multiple times and ALL the connections will freeze for awhile when you hit the login limit:
iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -m recent --name sshattack --set iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j DROP
I use a two-level approach like this: # # special handling for SSH (to dwarf SSH dictionary attacks) # $IPTABLES -N SSH $IPTABLES -N SSH-evil $IPTABLES -A SSH-evil -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix "evil SSH user: " $IPTABLES -A SSH-evil -j REJECT $IPTABLES -A SSH -p TCP ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A SSH -p TCP --syn -m recent --name badSSH --rcheck --seconds 600 -j REJECT $IPTABLES -A SSH -p TCP --syn -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j SSH-evil $IPTABLES -A SSH -p TCP --syn -m recent --name sshconn --set $IPTABLES -A SSH -p TCP --syn -j ACCEPT It first checks for already established connections and let's em pass. Then it checks for the badSSH flag and rejects the bad guy for 10 minutes. Otherwise it is a new SSH connection and checks if we've seen 5 in 60 seconds, if so, jump to SSH-Evil where the badSSH marker gets added. Otherwise just set the connSSH marker which is harmless unless you get 5 in 60 seconds. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
participants (4)
-
Bruce Smith -
Gary Gapinski -
Rainer Duffner -
Rene Gallati