Re: [opensuse] SSH Brute Force attacks
oh come on now, why are you generating private mails aka spam?
denyhosts has a centrally maintaned list? wow, my version must be old.
<http://stats.denyhosts.net/stats.html> sync to the xmlrpc server of denyhosts. check your denyhosts config file. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
oh come on now, why are you generating private mails aka spam?
denyhosts has a centrally maintaned list? wow, my version must be old.
<http://stats.denyhosts.net/stats.html>
sync to the xmlrpc server of denyhosts. check your denyhosts config file.
sorry, almost always forget that to reply to the list is a manual step for me -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Philip Dowie wrote:
oh come on now, why are you generating private mails aka spam?
denyhosts has a centrally maintaned list? wow, my version must be old. <http://stats.denyhosts.net/stats.html>
sync to the xmlrpc server of denyhosts. check your denyhosts config file.
sorry, almost always forget that to reply to the list is a manual step for me
Philip, The best solution I've found is to simply move ssh to a high port. I used to have 300-3000 log entries per day of script kiddies trying to hack my ssh on port 22. I moved ssh to a high port several months ago and I have had *zero* attempts to crack my system since. The process is simple: Philip, The best solution I've found is to simply move ssh to a high port. I used to have 300-3000 log entries per day of script kiddies trying to hack my ssh on port 22. I moved ssh to a high port several months ago and I have had *zero* attempts to crack my system since. The process is simple: (1) look at /etc/services and find an available high port you want to use. If you have multiple machines you want to set on different ports then find a range or ports that are open: [09:33 alchemy:/var/lib] # grep -i unassigned /etc/services <snip> # 9537-9554 Unassigned # 9556-9591 Unassigned # 9601-9611 Unassigned # 9613-9627 Unassigned <snip> Edit /etc/services, comment out ssh on port 22, uncomment the ports you want to use and change 'Unassigned' to 'ssh'. Example #ssh 22/tcp # SSH Remote Login Protocol #ssh 22/udp # SSH Remote Login Protocol #ssh 22/sctp # SSH ssh 9537/tcp # SSH Remote Login Protocol ssh 9537/udp # SSH Remote Login Protocol ssh 9537/sctp # SSH # 9538-9554 Unassigned (2) Edit /etc/ssh/sshd_config Change the ssh port: #Port 22 Port 9537 **NOTE: for added security set up ssh keys for access and disable password authentication: # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no (3) Create or edit /etc/ssh/ssh_config for system wide configuration or ~/.ssh/config for per-user configuration and tell the system what host is on what port. The syntax is a "Host/Port" pair for each box (each on a separate line). Example: Host arete.3111skyline.com arete Port 22 Host ecstasy.3111skyline.com ecstacy Port 9537 (4) Then simply restart or reload ssh to read in the new configuration and all your troubles with unauthorized ssh login attempts will be a thing of the past! Providing the "Host/Port" configuration directive for each machine makes the change seamless to the user. They simple type ssh machine and it works. No need to type ssh -p <port> machine and the change works seamlessly for scp, rsync, etc.. This was the only cure I found that works HTH... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
Philip,
The best solution I've found is to simply move ssh to a high port. I used to have 300-3000 log entries per day of script kiddies trying to hack my ssh on port 22. I moved ssh to a high port several months ago and I have had *zero* attempts to crack my system since.
The high port setup definitely works, but so does blocking with iptables after 3 failed attempts in 60secs. I've been using that on all my systems since I saw it here: http://lists.suse.com/archive/suse-security/2005-Dec/0069.html
**NOTE: for added security set up ssh keys for access and disable password authentication:
I wouldn't say added, but ultimate. No amount of brute force will overcome that. /Per -- Per Jessen, Zürich (14.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/15/2009 at 10:57, Per Jessen <per@opensuse.org> wrote: **NOTE: for added security set up ssh keys for access and disable password authentication:
I wouldn't say added, but ultimate. No amount of brute force will overcome that.
Per, this is a little bit over-optimistic... The amount might be tremendous higher, but it is not infinite. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dominique Leuenberger wrote:
On 4/15/2009 at 10:57, Per Jessen <per@opensuse.org> wrote:
**NOTE: for added security set up ssh keys for access and disable password authentication:
I wouldn't say added, but ultimate. No amount of brute force will overcome that.
Per,
this is a little bit over-optimistic... The amount might be tremendous higher, but it is not infinite.
Dominique
With 128 bit keys, how long, on average, will it take to succeed? That's 340282366920938463463374607431768211456 possibilities and at 1 attempt per second, that will take 1.079028307080601419e+31 years, which is close enough to infinity for most people -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/15/2009 at 13:20, James Knott <james.knott@rogers.com> wrote:
With 128 bit keys, how long, on average, will it take to succeed? That's 340282366920938463463374607431768211456 possibilities and at 1 attempt per second, that will take 1.079028307080601419e+31 years, which is close enough to infinity for most people
Is 'close to infinity' the same as 'infinity'? And there are soo many assumption in this calculation: - 1 attack per second (botnet -> ???) - statistically, 50% of the keys are cracked in half the time (simple statistical distribution, which easily can be tweaked) I know what you mean and I would trust them too (more than a typical password)... BUT: bugs in the software (anybody remember the Debian bug???) can easily show that it's not that much work. So calling anything like this just infinite unbreakable is wrong and gives a feeling of security that might not exist. (nevertheless it should remain considered a valid option to access a server) A typical approach on 'brute force' is to reduce the used space. I think I have actually never seen a real brute force against my ssh server. It's typically based on dictionary attacks. (and your calculation ignores the fact of leap years, just a small detail). Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-04-15 at 13:38 +0200, Dominique Leuenberger wrote: ...
A typical approach on 'brute force' is to reduce the used space. I think I have actually never seen a real brute force against my ssh server. It's typically based on dictionary attacks.
You can not use a dictionary attack to break ssh keys, just passwords. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknlzWsACgkQtTMYHG2NR9UxbQCdFdb5OGi/wbyuvj1VFbBOF4Qc ZZUAnjk1QkSJDUoN0nXQkUrSN4ZdELub =Fyh8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/15/2009 at 14:04, "Carlos E. R." <robin.listas@telefonica.net> wrote: A typical approach on 'brute force' is to reduce the used space. I think I have actually never seen a real brute force against my ssh server. It's typically based on dictionary attacks.
You can not use a dictionary attack to break ssh keys, just passwords.
That's the good thing of the ssh keys indeed :) it's not a human deciding, based on something he needs to be able to remember. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
The high port setup definitely works, but so does blocking with iptables after 3 failed attempts in 60secs. I've been using that on all my systems since I saw it here:
http://lists.suse.com/archive/suse-security/2005-Dec/0069.html
It's 404 -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 15 April 2009 06:15:34 am James Knott wrote:
Per Jessen wrote:
The high port setup definitely works, but so does blocking with iptables after 3 failed attempts in 60secs. I've been using that on all my systems since I saw it here:
http://lists.suse.com/archive/suse-security/2005-Dec/0069.html
It's 404
Maybe this one? http://lists.opensuse.org/opensuse-security/2005-12/msg00069.html -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
Philip,
The best solution I've found is to simply move ssh to a high port. I used to have 300-3000 log entries per day of script kiddies trying to hack my ssh on port 22. I moved ssh to a high port several months ago and I have had *zero* attempts to crack my system since.
The high port setup definitely works, but so does blocking with iptables after 3 failed attempts in 60secs. I've been using that on all my systems since I saw it here:
http://lists.suse.com/archive/suse-security/2005-Dec/0069.html
Dead link. It appears to be this now: http://lists.opensuse.org/opensuse-security/2005-12/msg00096.html -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Brian K. White wrote:
Per Jessen wrote:
The high port setup definitely works, but so does blocking with iptables after 3 failed attempts in 60secs. I've been using that on all my systems since I saw it here:
http://lists.suse.com/archive/suse-security/2005-Dec/0069.html
Dead link. It appears to be this now: http://lists.opensuse.org/opensuse-security/2005-12/msg00096.html
Thanks - I just copied the URL from my firewall script, so I didn't realize it was outdated. /Per -- Per Jessen, Zürich (12.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
Philip,
The best solution I've found is to simply move ssh to a high port. I used to have 300-3000 log entries per day of script kiddies trying to hack my ssh on port 22. I moved ssh to a high port several months ago and I have had *zero* attempts to crack my system since.
The high port setup definitely works, but so does blocking with iptables after 3 failed attempts in 60secs. I've been using that on all my systems since I saw it here:
http://lists.suse.com/archive/suse-security/2005-Dec/0069.html
Per, Do you have another link for the IP tables solution? I tried your link above and got the 404 not found error :-( -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-04-15 at 21:34 -0500, David C. Rankin wrote:
The high port setup definitely works, but so does blocking with iptables after 3 failed attempts in 60secs. I've been using that on all my systems since I saw it here:
http://lists.suse.com/archive/suse-security/2005-Dec/0069.html
Do you have another link for the IP tables solution? I tried your link above and got the 404 not found error :-(
Remember that SuSE list changed to openSUSE list. Search the similarly named list for the same html file on same year-month.
:-P
Or, pick up the email from Rajko where the exact link is posted, some hours ago, in this same thread. Or, have a look inside the firewall configuration file, where you will find the current version of the recipe in easy mode. I posted it several times during these years, tonight I'm just too lazy to dig it out again
:-P
- -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknmm+kACgkQtTMYHG2NR9WfeQCeOs8S4Lgq39TwWfogiZdVIEwI XXEAnjpDdmo4sGVcMzL7QwAd7ylcFpV7 =eq/D -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Carlos E. R. <robin.listas@telefonica.net> [04-15-09 22:46]:
Or, have a look inside the firewall configuration file, where you will find the current version of the recipe in easy mode. I posted it several times during these years, tonight I'm just too lazy to dig it out again
I believe that this is it: iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 240 --hitcount 2 -j REJECT (that should be *one* line) -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-04-15 at 23:07 -0400, Patrick Shanahan wrote:
* Carlos E. R. <> [04-15-09 22:46]:
Or, have a look inside the firewall configuration file, where you will find the current version of the recipe in easy mode. I posted it several times during these years, tonight I'm just too lazy to dig it out again
I believe that this is it: iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 240 --hitcount 2 -j REJECT
(that should be *one* line)
And now being the morning, I'm a bit less lazy :-) In the /etc/sysconfig/SuSEfirewall2 script, this: # Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # #FW_SERVICES_ACCEPT_EXT="" #FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" # # Ludwig Nussel: you may want to use 0.0.0.0/0 instead of 0/0 to avoid the ipv6 # error message. # # Do not open ssh on another rule, ot it takes precedence and # FW_SERVICES_ACCEPT_EXT does not work. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknm9uwACgkQtTMYHG2NR9XP5wCffLOZdmYyxtr8VYKjA22zjVWi +dwAn2QBld2i95wHKMZe+4zewmYZPBbj =HU5l -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
Or, pick up the email from Rajko where the exact link is posted, some hours ago, in this same thread.
Or, have a look inside the firewall configuration file, where you will find the current version of the recipe in easy mode. I posted it several times during these years, tonight I'm just too lazy to dig it out again
:-P
-- Cheers, Carlos E. R.
(smacks self for blindness.... old age sucks ;-) -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (10)
-
Brian K. White -
cagsm -
Carlos E. R. -
David C. Rankin -
Dominique Leuenberger -
James Knott -
Patrick Shanahan -
Per Jessen -
Philip Dowie -
Rajko M.