FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 03-17-2010, 09:05 PM
Conrad Meyer
 
Default your favourite method of dealing with ssh brute force attacks

On Wed, 17 Mar 2010 22:55:48 +0100
Michał Piotrowski <mkkp4x4@gmail.com> wrote:

> Hi,
>
> I recetly had 30 hours of ssh brute force attack on my system. I'm
> using strong passwords, but still can be geneated from /dev/random, so
> I switched to rsa authentication. What's your favourite way to deal
> with such attacks? Please describe pros and cons.
>
> Regards,
> Michal

'denyhosts' is in Fedora as well and works great. Use AllowUser lines
in your global ssh configuration and only allow known good users /
source addresses (if that's possible in your setup).

Regards,
--
Conrad Meyer <cemeyer@u.washington.edu>
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-17-2010, 09:06 PM
Orion Poplawski
 
Default your favourite method of dealing with ssh brute force attacks

On 03/17/2010 03:55 PM, Michał Piotrowski wrote:
> Hi,
>
> I recetly had 30 hours of ssh brute force attack on my system. I'm
> using strong passwords, but still can be geneated from /dev/random, so
> I switched to rsa authentication. What's your favourite way to deal
> with such attacks? Please describe pros and cons.

This really is off-topic here.

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion@cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-17-2010, 09:08 PM
Michał Piotrowski
 
Default your favourite method of dealing with ssh brute force attacks

2010/3/17 Athmane Madjoudj <athmanem@gmail.com>:
> 2010/3/17 Michał Piotrowski <mkkp4x4@gmail.com>:
>> Hi,
>>
>> I recetly had 30 hours of ssh brute force attack on my system. I'm
>> using strong passwords, but still can be geneated from /dev/random, so
>> I switched to rsa authentication. What's your favourite way to deal
>> with such attacks? Please describe pros and cons.
>>
>> Regards,
>> Michal
>> --
>> devel mailing list
>> devel@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel
>>
>
> 1. Change SSH port

I don't have a remote access to my cisco router, so I can't change
port forwarding - sigh.

> 2. Disable access to root via SSH

Actually I need this to deploy my project. I'll change this someday,
but it will take some time to tweak configuration.

> 3. Install HIDS eg: fail2ban is included in fedora OR BFD
> (http://www.rfxn.com/projects/brute-force-detection/)

I'm not sure if I want to blindly ban networks.

>
>
> --
> Athmane Madjoudj
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-17-2010, 09:08 PM
Athmane Madjoudj
 
Default your favourite method of dealing with ssh brute force attacks

On Wed, Mar 17, 2010 at 11:06 PM, Orion Poplawski <orion@cora.nwra.com> wrote:
> On 03/17/2010 03:55 PM, Michał Piotrowski wrote:
>> Hi,
>>
>> I recetly had 30 hours of ssh brute force attack on my system. I'm
>> using strong passwords, but still can be geneated from /dev/random, so
>> I switched to rsa authentication. What's your favourite way to deal
>> with such attacks? Please describe pros and cons.
>
> This really is off-topic here.
>
> --
> Orion Poplawski
> Technical Manager * * * * * * * * * * 303-415-9701 x222
> NWRA/CoRA Division * * * * * * * * * *FAX: 303-415-9702
> 3380 Mitchell Lane * * * * * * * * *orion@cora.nwra.com
> Boulder, CO 80301 * * * * * * *http://www.cora.nwra.com
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel

I agree


--
Athmane Madjoudj
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-17-2010, 09:11 PM
Eric Sandeen
 
Default your favourite method of dealing with ssh brute force attacks

Michał Piotrowski wrote:
> Hi,
>
> I recetly had 30 hours of ssh brute force attack on my system. I'm
> using strong passwords, but still can be geneated from /dev/random, so
> I switched to rsa authentication. What's your favourite way to deal
> with such attacks? Please describe pros and cons.
>
> Regards,
> Michal

Aside from not allowing password logins, I throttle them, they usually
get tired and go away to an easier target.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT


-Eric
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-17-2010, 09:24 PM
Michał Piotrowski
 
Default your favourite method of dealing with ssh brute force attacks

2010/3/17 Eric Sandeen <sandeen@redhat.com>:
> Michał Piotrowski wrote:
>> Hi,
>>
>> I recetly had 30 hours of ssh brute force attack on my system. I'm
>> using strong passwords, but still can be geneated from /dev/random, so
>> I switched to rsa authentication. What's your favourite way to deal
>> with such attacks? Please describe pros and cons.
>>
>> Regards,
>> Michal
>
> Aside from not allowing password logins, I throttle them, they usually
> get tired and go away to an easier target.
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT

If I understand correctly - this limits ssh connections to two
connections per minute. I tried it before on my devel server without
success. I tried it now with your configuration also without success.

I used
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit
--limit 2/minute --limit-burst 2 -j ACCEPT
and I still can connect to ssh as many times as I want.

>
>
> -Eric

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 08:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org