| 1 |
Thanks for all the replies so far... I'll reply once to these... (Oh, |
| 2 |
and when I said "ports" in my original post, I meant "addresses" - my |
| 3 |
typing fingers just ignored my brain...) |
| 4 |
|
| 5 |
I'm against a 'novel port' approach - as I am against port-knocking (for |
| 6 |
my server) because these may prove challenging for the environments from |
| 7 |
which I may want to log on. I want to retain a 'standard' service to |
| 8 |
make it easiest for me to connect to my server from a remote site |
| 9 |
without requiring reconfiguration of firewalls etc. |
| 10 |
|
| 11 |
I have, in the past, used DSA only keys - but this was frustrating on |
| 12 |
several occasions when I wanted access to my server and didn't have my |
| 13 |
SSH keys available to me... I almost always connect using a key pair |
| 14 |
rather than a password - but the password option is very useful to allow |
| 15 |
me to get hold of my SSH keys in the first place in some environments. |
| 16 |
If I found a distributed attack on a valid user name, for example, I'd |
| 17 |
consider this a critical change - however inconvenient. |
| 18 |
|
| 19 |
I previously used denyhosts - but (I can't remember why) it became |
| 20 |
preferable to block with IPtables rather than with tcpwrappers... which |
| 21 |
prompted me to dump it in favour of a bespoke script based upon |
| 22 |
blacklist.py (http://blinkeye.ch/mediawiki/index.php/SSH_Blocking) - |
| 23 |
though, now, I'm tempted by the more professional looking sshguard - |
| 24 |
thanks for the tip. Of course, this doesn't really address the problem |
| 25 |
I posted about - because I'm now faced with a highly distributed |
| 26 |
dictionary attack... |
| 27 |
|
| 28 |
It strikes me that, given the conclusive nature of this attack (which, |
| 29 |
by virtue of the fact that the usernames are attempted in alphabetical |
| 30 |
order proves it to be a single coordinated attack) I can create a list |
| 31 |
of a large number of IP addresses - which, likely, correspond to |
| 32 |
compromised hosts. It strikes me that this would be a perfect source of |
| 33 |
information to set up a block list... and, if others' logs show similar |
| 34 |
attacks, it should be easy enough to combine this data to provide |
| 35 |
distributed protection from a distributed attack. I don't think for one |
| 36 |
second that this attack is targeted - neither my hardware or the |
| 37 |
information on my server is particularly interesting to anyone but me. |
| 38 |
It would be extremely interesting to me, however, if it were to |
| 39 |
transpire that my IP address originated login attempts such as these - |
| 40 |
as this would clearly demonstrate it to be compromised... I suspect, |
| 41 |
too, the ISPs should be interested to inform their subscribers in the |
| 42 |
interest of security... though, of course, I recognise that this is |
| 43 |
being optimistic. |
| 44 |
|
| 45 |
When I exposed my server to internet SSH logins, I carefully considered |
| 46 |
security... though I also had to consider convenience - since that was |
| 47 |
the only reason for doing so in the first place. If I could block all |
| 48 |
IPs suspected of being in a bot-net - then this would be an improvement |
| 49 |
in security without a great cost in terms of lost convenience. Right |
| 50 |
now, in the context of this attack which circumvents my earlier blocking |
| 51 |
strategy, I'm looking for a viable blacklist solution in order to avoid |
| 52 |
white-listing. A potential solution for me would be to have sshd be far |
| 53 |
more choosy about source IPs when using password authentication... for |
| 54 |
example, restricting it to hosts in the UK... but still allowing remote |
| 55 |
access wherever I've propagated DSA keys... but I think this would be |
| 56 |
tricky to set up. A shared block-list, I suspect, would be the most |
| 57 |
effective response to this attack... and the response most likely to |
| 58 |
minimise others' exposure, too. |
| 59 |
|
| 60 |
Steve |
Archives