1 |
Thanks for all the replies so far... I'll reply once to these... (Oh, |
2 |
and when I said "ports" in my original post, I meant "addresses" - my |
3 |
typing fingers just ignored my brain...) |
4 |
|
5 |
I'm against a 'novel port' approach - as I am against port-knocking (for |
6 |
my server) because these may prove challenging for the environments from |
7 |
which I may want to log on. I want to retain a 'standard' service to |
8 |
make it easiest for me to connect to my server from a remote site |
9 |
without requiring reconfiguration of firewalls etc. |
10 |
|
11 |
I have, in the past, used DSA only keys - but this was frustrating on |
12 |
several occasions when I wanted access to my server and didn't have my |
13 |
SSH keys available to me... I almost always connect using a key pair |
14 |
rather than a password - but the password option is very useful to allow |
15 |
me to get hold of my SSH keys in the first place in some environments. |
16 |
If I found a distributed attack on a valid user name, for example, I'd |
17 |
consider this a critical change - however inconvenient. |
18 |
|
19 |
I previously used denyhosts - but (I can't remember why) it became |
20 |
preferable to block with IPtables rather than with tcpwrappers... which |
21 |
prompted me to dump it in favour of a bespoke script based upon |
22 |
blacklist.py (http://blinkeye.ch/mediawiki/index.php/SSH_Blocking) - |
23 |
though, now, I'm tempted by the more professional looking sshguard - |
24 |
thanks for the tip. Of course, this doesn't really address the problem |
25 |
I posted about - because I'm now faced with a highly distributed |
26 |
dictionary attack... |
27 |
|
28 |
It strikes me that, given the conclusive nature of this attack (which, |
29 |
by virtue of the fact that the usernames are attempted in alphabetical |
30 |
order proves it to be a single coordinated attack) I can create a list |
31 |
of a large number of IP addresses - which, likely, correspond to |
32 |
compromised hosts. It strikes me that this would be a perfect source of |
33 |
information to set up a block list... and, if others' logs show similar |
34 |
attacks, it should be easy enough to combine this data to provide |
35 |
distributed protection from a distributed attack. I don't think for one |
36 |
second that this attack is targeted - neither my hardware or the |
37 |
information on my server is particularly interesting to anyone but me. |
38 |
It would be extremely interesting to me, however, if it were to |
39 |
transpire that my IP address originated login attempts such as these - |
40 |
as this would clearly demonstrate it to be compromised... I suspect, |
41 |
too, the ISPs should be interested to inform their subscribers in the |
42 |
interest of security... though, of course, I recognise that this is |
43 |
being optimistic. |
44 |
|
45 |
When I exposed my server to internet SSH logins, I carefully considered |
46 |
security... though I also had to consider convenience - since that was |
47 |
the only reason for doing so in the first place. If I could block all |
48 |
IPs suspected of being in a bot-net - then this would be an improvement |
49 |
in security without a great cost in terms of lost convenience. Right |
50 |
now, in the context of this attack which circumvents my earlier blocking |
51 |
strategy, I'm looking for a viable blacklist solution in order to avoid |
52 |
white-listing. A potential solution for me would be to have sshd be far |
53 |
more choosy about source IPs when using password authentication... for |
54 |
example, restricting it to hosts in the UK... but still allowing remote |
55 |
access wherever I've propagated DSA keys... but I think this would be |
56 |
tricky to set up. A shared block-list, I suspect, would be the most |
57 |
effective response to this attack... and the response most likely to |
58 |
minimise others' exposure, too. |
59 |
|
60 |
Steve |