[Triumf-linux-managers] FYI, SSH dictionary attacks ramping up
Andrew Daviel
advax at triumf.ca
Tue Dec 8 16:00:13 PST 2009
FYI, the number of dictionary attacks against SSH seems to have ramped up
in recent weeks; see plots in link below.
(this is basically someone trying to guess your password for SSH login by
trying a large number of different strings)
We block hosts which show more than 16 password failures/day across the
site, as reported to syslog. The plots show the count of distinct hosts
http://trweb.triumf.ca/triumf_nodeinfo/blocks/
We can't block distributed attacks (one attacker using a network of
different source addresses), only single hosts attacking a number of
targets. So there may be other attackers not listed.
A while ago I hacked sshd so it would log the failed passwords, to see
what strings were actually being tried. As per the link, most attempts
are against root, with attempts of username=password against common names
as well.
Note the keyboard patterns like qazwsxedc, and "hacker alphabet" such as
sw0rdf1sh. I presume most of these worked somewhere and were retried
everywhere else.
http://andrew.triumf.ca/ssh_pass_file2.html
Mitigation:
- make sure you don't have any username=password accounts (test/test,
guest/guest)
- disable password logins for root:
- in /etc/ssh/sshd_config, set "PermitRootLogin without-password"
and get root either with su or SSH with a key from, preferably, a list of
trusted machines
For the more paranoid, consider setting "PasswordAuthentication no" or
firewalling SSH with iptables+ip6tables, if you can live with having to
login from trusted machines or always use a key.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list