Been a rather slow day. We had a user reporting a DDoS coming out of APNIC, but we have not received any packets as of yet. A couple of the usual (but so annoying) phishing sites to take down.
One of our avid readers sent us an email recounting the thousands of ssh scans. The internet storm center has been reporting on these scans since early July of last year. One of the first tools that we saw scanning with a dictionary attack was brute2.ssh, which we found posted to k-otik at that time.
Simple advise for SSH:
- Run ssh on a non-standard port.
- Choose good passphrases, and enforce them with PAM or other wrappers
- Monitor your logs, and then conciously look at blocking and/or reporting the abusive netblocks.
Some fun things to do with ssh
- Use Bill Stearns Fanout to run commands on multiple machines at once.
- Proxy all SOCKS aware applications through SSH with the -D switch. This works dynamically so that all your applications such as Mozilla, kmail, gaim can all proxy through an ssh tunnel.
- Watch SSH traffic in the clear if you are admin, using systrace or apptrace (see Bill Stearns page again)
Good links:
Stearns.orgDan Kaminski on SSH kung fu
UPDATEWe received a lot of feedback about various tools you can use to block SSH brute force attacks.
So, here they are - you can find the one which suits you the most:
DenyHosts is a program that can be run from cron or as a service. It will parse /var/log/secure log file and keep track of offending hosts. When a certain (configurable) threshold is reached, it can modify /etc/hosts.deny and prevent the offending IP from connecting to the SSH server. More information about DenyHosts at
http://denyhosts.sourceforge.net/Fail2ban bans IP addresses that cause multiple authentication errors. More information at
http://fail2ban.sourceforge.net/Pam_abl is a pam module which can be used for blacklisting users or hosts after multiple failed authentication attempts:
http://www.hexten.net/pam_abl/Sshdfilter is another program which parses log files and blocks remote hosts generating iptable rules:
http://www.csc.liv.ac.uk/~greg/sshdfilter/Sshblack also uses iptables to block offending hosts:
http://www.pettingers.org/code/sshblack.htmlThanks to Bas J, Pedro B, Alexander G, Michael B!
< shameless plug >
Ed Skoudis and I just finished an IPS bakeoff comparing 5 Intrusion Prevention Systems. The link is over at
Infosecmag , but it does require a registration. I think you will find it an interesting security comparison of these systems, as it did force us to examine the core philosophies of these vendors. Ed and I were truly surprised how a couple of guys in a lab could find their way through each of the 5 systems within an hour of testing. Just imagine what an information warfare unit would be able to do...
< /shameless plug >
See some of you on Monday East Coast Time for the IDS class at Sans Baltimore!
Mike Poor
Handler on Duty
Intelguardians
acebook
witter
