[Triumf-linux-managers] brute-force ssh-login attacks

[Kel Raywood]

There is currently an issue with the TRIUMF perimeter-firewall that has 
resulted in a failure of the system that blocks the source brute-force 
ssh-login attempts [see below for the background].

So if your Linux machine(s) accepts external ssh connections, you will 
be seeing a significant increase in the number of ssh-login failures.  
They're recorded locally in /var/log/secure and /var/log/btmp .  The 
latter is read by the command "lastb" .   The network team is working on 
resolving the problem,  but in the meantime, it is good to double check 
the security of Linux (or MacOS-X) machines that you manage.

The attacks focus mostly on the root account so if your machine allows 
external ssh connections, then we strongly recommend that you configure 
sshd to disallow password authentication for root.  Use ssh-key or 
certificate-based logins instead.  Of course, it's good to do this for 
all accounts but this is often not feasible.

Another option is to block all externally-originating ssh-connections, 
and use the TRIUMF VPN service for making a remote connection.  Again, 
we realise that this is not always feasible because you have off-site 
collaborators without permission to use the TRIUMF VPN service.

*Background*

For many years, TRIUMF has had a system for reducing the risk of 
brute-force ssh intrusion.  Many Linux desktop PCs and almost all Linux 
servers at TRIUMF are configured to send notices of ssh-login failures 
to syslog.triumf.ca .  A process running on that machine can trigger 
injection of a rule into the perimeter-firewall to block 
source-addresses from which a high rate of login failures has been seen.

--
Kelvin Raywood
TRIUMF Information-Systems Technology dept.