[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH Cracking Attempts

From: Jacob S (stormspotter@6Texans.net)
Subject: SSH Cracking Attempts
Newsgroups: linux.debian.user 
Date: 2004-09-29 12:10:24 PST

Every other day or so now I'm seeing attempts in my servers logs where
some remote machine starts trying to guess a username/password
combination to ssh into the server. They try everything from 'test', to
'NOUSER', 'guest', 'root', etc., doing at least one login attempt per
second, each time from a different source port.

So, my question is this. Is there a way to tell ssh to refuse
connections from an ip address after a certain number of failed login
attempts, or is snort the only way to do something like this? So far
I've been taking the manual approach, blocking the ip address with
my firewall after I see it hitting the logs, but that can give them
about an hour to play before I notice it (e-mailed to me by logcheck).
Any suggestions? 
TIA,
Jacob 

This is getting worse for me:

~$ grep 'Failed password' /var/log/auth.log |wc -l
241
241 attempts in the last day and a half. I'd like to make myself a less attractive target. In August, I asked for help in enabling FAIL_DELAY to discourage these ssh attacks: 

http://lists.debian.org/debian-user/2004/08/msg07107.html

But apparently FAIL_DELAY no longer applies to ssh.
I've since learned of TARPIT, but have no idea how to implement that against ssh attacks. (I'm a desktop user, not a programmer or sys admin.)
The closest I've come to finding something that would help is this, but I don't know how to apply this to Debian: 

http://lists.sans.org/pipermail/list/2004-July/061242.html
Is there any way I can lock out a account/machine after a certain number of failed login attempts via ssh ? similar to what happends on the console of a *nix box or the windows login screen 

You haven't said what OS. If it uses pam, then you'll have to swat up on
pam. Have a look at the pam_tally module; on my RH RHAS3 machines, the
docs are in /usr/share/doc/pam-0.75/html. You'd modify /etc/pam.d/sshd
or /etc/pam.d/system-auth on a RedHat 8, 9 or ES installation.

Example: Add the following to /etc/pam.d/(sshd|system-auth):

account    required      /lib/security/$ISA/pam_tally.so onerr=fail
file=/var/log/faillog deny=3 no_magic_root even_deny_root_account

Reset failed logins (cron!) with /sbin/pam_tally.
I can't find anything relevant on pam or /etc/ssh/sshd_config. Sure, there is denying root logins, RhostsRSAAuthentication for known hosts, hosts allow and hosts deny, but those solutions address different situations. But your question remains key for me: 

> Is there a way to tell ssh to refuse
> connections from an ip address after a certain number of failed login
> attempts,

Or to send it to a tarpit?

Any ideas?

Oh, you can report attacks at
http://www.dshield.org/ and get more info.
Reply to: