Mailing List Archive: MythTV: Users

Semi-OT: Blocking Brute Force SSH attacks

Index | Next | Previous | View Threaded

jra at baylink

Oct 19, 2007, 9:50 AM

Post #1 of 23 (3720 views)
Permalink

Semi-OT: Blocking Brute Force SSH attacks

If you've tunneled SSH traffic through to your Mythbox, you're likely
the target of brute-force SSH attacks, some of which might well work.

The most elegant solution I've found so far is here:

http://www.la-samhna.de/library/brutessh.html#5

This won't block attacks that "know" about a specific bug in your sshd,
so you need to stay updated, but for the dictionary attacks it will
work nicely, and it'll sure keep your logs from growing without
bounds...

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra[at]baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

yan at seiner

Oct 19, 2007, 9:56 AM

Post #2 of 23 (3667 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

Jay R. Ashworth wrote:
> If you've tunneled SSH traffic through to your Mythbox, you're likely
> the target of brute-force SSH attacks, some of which might well work.
>
> The most elegant solution I've found so far is here:
>
> http://www.la-samhna.de/library/brutessh.html#5
>
> This won't block attacks that "know" about a specific bug in your sshd,
> so you need to stay updated, but for the dictionary attacks it will
> work nicely, and it'll sure keep your logs from growing without
> bounds...

You can also do this with iptables. There is also a setting in sshd
itself that allows only so many connections / unit time.

But none of this will help you if you are the subject of a concerted,
persistent, distributed attack - only picking a really good password,
not allowing root ssh access, and monitoring logs will keep you safe....

--
o__
,>/'_ o__
(_)\(_) ,>/'_ o__
Yan Seiner (_)\(_) ,>/'_ o__ o__
Certified Personal Trainer (_)\(_) ,>/'_ ,>/'_
Licensed Professional Engineer (_)\(_) (_)\(_)

'man' is short for 'manual' because it's very short, for a manual.
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

beww at beww

Oct 19, 2007, 10:02 AM

Post #3 of 23 (3673 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

Jay R. Ashworth wrote:
> If you've tunneled SSH traffic through to your Mythbox, you're likely
> the target of brute-force SSH attacks, some of which might well work.
>
> The most elegant solution I've found so far is here:
>
> http://www.la-samhna.de/library/brutessh.html#5
>
> This won't block attacks that "know" about a specific bug in your sshd,
> so you need to stay updated, but for the dictionary attacks it will
> work nicely, and it'll sure keep your logs from growing without
> bounds...

Some good point there.

You can automate some of them by using "fail2ban", but I don't suggest
using it if you are prone to typos, you can lock yourself out :-)

Personally I use an external firewall to only allow ssh packets from
specified IP addresses, but in my case I can predict from which
addresses I will want to log in, some folks don't have that advantage.

beww

beww

_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

caldodge at gmail

Oct 19, 2007, 10:05 AM

Post #4 of 23 (3672 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On 10/19/07, Jay R. Ashworth <jra[at]baylink.com> wrote:
> If you've tunneled SSH traffic through to your Mythbox, you're likely
> the target of brute-force SSH attacks, some of which might well work.
>
> The most elegant solution I've found so far is here:
>
> http://www.la-samhna.de/library/brutessh.html#5

That looks cool. Meanwhile, I've never seen any unauthorized login
attempts on any system where I've configured SSH to use a non-standard
port, since the bots which are carrying out these massive SSH attacks
are all looking at port 22.

Calvin
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

mythtv at bektchiev

Oct 19, 2007, 10:19 AM

Post #5 of 23 (3669 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On 10/19/07, Yan Seiner <yan[at]seiner.com> wrote:
>
> Jay R. Ashworth wrote:
> > If you've tunneled SSH traffic through to your Mythbox, you're likely
> > the target of brute-force SSH attacks, some of which might well work.
> >
> > The most elegant solution I've found so far is here:
> >
> > http://www.la-samhna.de/library/brutessh.html#5
> >
> > This won't block attacks that "know" about a specific bug in your sshd,
> > so you need to stay updated, but for the dictionary attacks it will
> > work nicely, and it'll sure keep your logs from growing without
> > bounds...
>
> You can also do this with iptables. There is also a setting in sshd
> itself that allows only so many connections / unit time.
>
> But none of this will help you if you are the subject of a concerted,
> persistent, distributed attack - only picking a really good password,
> not allowing root ssh access, and monitoring logs will keep you safe....

If you really want to prevent dictionary attacks you should disable password
login altogether and only allow login using public key authentication and
password protect your private keys.

This way someone needs to get a hold of your key and guess the password. And
if you regularly change the keys then this is even more secure...

An even more secure technique is to use port knocking (
http://www.portknocking.org/) combined with the above but I'm not that
paranoid yet.

Deyan

larry.sanderson at gmail

Oct 19, 2007, 10:22 AM

Post #6 of 23 (3670 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On Friday 19 October 2007 12:50:37 pm Jay R. Ashworth wrote:
> If you've tunneled SSH traffic through to your Mythbox, you're likely
> the target of brute-force SSH attacks, some of which might well work.
>
> The most elegant solution I've found so far is here:
>
> http://www.la-samhna.de/library/brutessh.html#5
>
> This won't block attacks that "know" about a specific bug in your
> sshd, so you need to stay updated, but for the dictionary attacks it
> will work nicely, and it'll sure keep your logs from growing without
> bounds...

Thanks Jay - I've been meaning to find something like this, but it just
hasn't been a priority. You just made my life a bit easier!
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

nico at youplala

Oct 19, 2007, 10:33 AM

Post #7 of 23 (3656 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

trate-limit the connection rate using iptables (removes part of the
denial of service threat, while creating another because of possible
source spoofing)

http://www.debian-administration.org/articles/187

and use key authentication instead of passwords (removes the dictionary
attack/bad password threat), and disable password authentication.

http://www.networknewz.com/networknewz-10-20030707AuthenticatingbyPublicKeyOpenSSH.html

Done.

_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

james at thearmstrongs

Oct 19, 2007, 10:55 AM

Post #8 of 23 (3660 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

I had the same problem. I ended up moving the ssh port and installing a
script that looks for unsuccessful logins and blocks the ip address for
one hour. I also have the bashrc modified to page me immediately with
the login name and ip address no matter who logs in. Before I moved the
port and out the ban script in I actually got paged and immediately went
to the console and killed the computer. Definitely look at the passwd
file and set all users that don't need bash access to /bin/false or
nologin. I just have myself that can login and at work deny ssh root
login so I am forced to login as me, then su to root.

- James
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

pta-myth at psaconsultants

Oct 19, 2007, 11:05 AM

Post #9 of 23 (3669 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

----- "James Armstrong" <james[at]thearmstrongs.org> wrote:

> Before I moved the port and out the ban script in I actually
> got paged and immediately went to the console and killed the
> computer.

why not just unplug the network cable? gotta maintain those
uptimes. :-)

-peter
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

james at thearmstrongs

Oct 19, 2007, 11:23 AM

Post #10 of 23 (3665 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

peter abplanalp wrote:
> ----- "James Armstrong" <james[at]thearmstrongs.org> wrote:
>
>
>> Before I moved the port and out the ban script in I actually
>> got paged and immediately went to the console and killed the
>> computer.
>>
>
> why not just unplug the network cable? gotta maintain those
> uptimes. :-)
>
Come to think of it I think I got paged while I was at work so I logged
in as fast as I could and killed his login session, then he logged back
in. I could not keep him out and I was remote so I had to shut it down
until I was able to change passwords, login access and the port. I used
to get attacks all the time but as soon as you change from port 22 they
go away.

- James

poublon at geeksoft

Oct 19, 2007, 4:32 PM

Post #11 of 23 (3647 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

Jay R. Ashworth wrote:
> If you've tunneled SSH traffic through to your Mythbox, you're likely
> the target of brute-force SSH attacks, some of which might well work.
>
> The most elegant solution I've found so far is here:
>
> http://www.la-samhna.de/library/brutessh.html#5
>
> This won't block attacks that "know" about a specific bug in your sshd,
> so you need to stay updated, but for the dictionary attacks it will
> work nicely, and it'll sure keep your logs from growing without
> bounds...
>
> Cheers,
> -- jra
>
I've created a small php webpage that I run on my linux router that lets
me log in and dynamically add a rule to iptables on the fly with a
single click of a button. This way, as long as I can browse the web I
can get SSH access.

-Mike
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

chrisribe at gmail

Oct 19, 2007, 7:49 PM

Post #12 of 23 (3658 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

>
> I've created a small php webpage that I run on my linux router that lets
> me log in and dynamically add a rule to iptables on the fly

Secured how? I'm neither particularly paranoid nor a security expert, but
giving php root access (or anyone else iptables access) doesn't sound like
an improvement over anything.

-chris

--
TV/IT Engineer
WCJB-TV Gainesville, FL
(352) 377 2020 x248
cribe[at]wcjb.com

bfoddy at visi

Oct 19, 2007, 8:07 PM

Post #13 of 23 (3643 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On Friday 19 October 2007, Chris Ribe wrote:
> > I've created a small php webpage that I run on my linux router that lets
> > me log in and dynamically add a rule to iptables on the fly
>
> Secured how? I'm neither particularly paranoid nor a security expert, but
> giving php root access (or anyone else iptables access) doesn't sound like
> an improvement over anything.
>
>
> -chris

Check out sshblack.v28. I run it on my linux firewall and it very
effectively slams the firewall door on my unwelcome hackers.

I'm even on the ntp pool, which more than double my hack
attempts, so I upped the penalty box time to 15 days and blocked
ALL traffic (not just connection requests) from the offender. I
figure a ntp user trys to hack me, why should I give them the
time-of-day. I also log all blacklists, and occasionally check for
dupes. One shmuck tried 5 consecutive times, so I'm permanently
blocking him.

Brian

_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

jra at baylink

Oct 19, 2007, 8:16 PM

Post #14 of 23 (3656 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On Fri, Oct 19, 2007 at 10:07:28PM -0500, Brian Foddy wrote:
> I'm even on the ntp pool, which more than double my hack
> attempts,

/me pats brian on the back.

http://www.pool.ntp.org, folks.

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra[at]baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

poublon at geeksoft

Oct 19, 2007, 8:43 PM

Post #15 of 23 (3645 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

Chris Ribe wrote:
>
>
> I've created a small php webpage that I run on my linux router
> that lets
> me log in and dynamically add a rule to iptables on the fly
>
>
>
> Secured how? I'm neither particularly paranoid nor a security expert,
> but giving php root access (or anyone else iptables access) doesn't
> sound like an improvement over anything.
>
I gave the apache user rights to sudo iptables. I'm sure it's not the
most secure thing ever, but the page is behind a password protected (via
apache) directory that's not linked to anywhere on the home page. I know
it's a little bit security through obscurity, but it's password
protected obscurity :)

-Mike
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

bfoddy at visi

Oct 19, 2007, 10:06 PM

Post #16 of 23 (3650 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On Friday 19 October 2007, Mike Poublon wrote:
> Chris Ribe wrote:
> > I've created a small php webpage that I run on my linux router
> > that lets
> > me log in and dynamically add a rule to iptables on the fly
> >
> >
> >
> > Secured how? I'm neither particularly paranoid nor a security expert,
> > but giving php root access (or anyone else iptables access) doesn't
> > sound like an improvement over anything.
>
> I gave the apache user rights to sudo iptables. I'm sure it's not the
> most secure thing ever, but the page is behind a password protected (via
> apache) directory that's not linked to anywhere on the home page. I know
> it's a little bit security through obscurity, but it's password
> protected obscurity :)
>
> -Mike

I don't know if I would have done that. sshblack simply reads a log
file to find offenders. Its default is to read the auth.log, but could
easily be altered to read an httpd access or error log. And it
provides a much better isolation of the two security sensitive
functions.

Just my 2 cents.

Brian
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

david at thekramers

Oct 20, 2007, 1:30 PM

Post #17 of 23 (3619 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

fenn at stanford

Oct 20, 2007, 3:56 PM

Post #18 of 23 (3613 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On Fri, 19 Oct 2007 19:32:09 -0400 Mike Poublon
<poublon[at]geeksoft.dyndns.org> wrote:

> Jay R. Ashworth wrote:
> > If you've tunneled SSH traffic through to your Mythbox, you're
> > likely the target of brute-force SSH attacks, some of which might
> > well work.
> >
> > The most elegant solution I've found so far is here:
> >
> > http://www.la-samhna.de/library/brutessh.html#5
> >
> > This won't block attacks that "know" about a specific bug in your
> > sshd, so you need to stay updated, but for the dictionary attacks
> > it will work nicely, and it'll sure keep your logs from growing
> > without bounds...
> >
> > Cheers,
> > -- jra
> >
> I've created a small php webpage that I run on my linux router that
> lets me log in and dynamically add a rule to iptables on the fly with
> a single click of a button. This way, as long as I can browse the web
> I can get SSH access.
>

You can do everything in iptables - forget denyhosts or external
scripts:

/sbin/iptables -N SSH
/sbin/iptables -F SSH
/sbin/iptables -A SSH -m recent --name SSH --set --rsource
/sbin/iptables -A SSH -i ! ${IFext} -j RETURN
/sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3
--name SSH --rsource -j RETURN /sbin/iptables -A SSH -j DUMP

(IFext is my external interface).

then just jump to the rule chain, and accept the packet if it makes it
through:

/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -m state --state
NEW -j SSH
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -j ACCEPT

HTH,
Tim

--
CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

larry.sanderson at gmail

Oct 20, 2007, 5:05 PM

Post #19 of 23 (3612 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

> You can do everything in iptables - forget denyhosts or external
> scripts:
>
> /sbin/iptables -N SSH
> /sbin/iptables -F SSH
> /sbin/iptables -A SSH -m recent --name SSH --set --rsource
> /sbin/iptables -A SSH -i ! ${IFext} -j RETURN
> /sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3
> --name SSH --rsource -j RETURN /sbin/iptables -A SSH -j DUMP
>
> (IFext is my external interface).
>
> then just jump to the rule chain, and accept the packet if it makes
> it through:
>
> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -m state
> --state NEW -j SSH
> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -j ACCEPT

As I read this, you are limiting connections to 3 per minute, yes? I
have looked for a way to use iptables to find offending connections
(say, more than six in a minute) and then blacklist them for 5 minutes.
Also, I would like a way to increase the blacklist time for repeat
offenders.

This approach appeals to me since I use openwrt as my primary router,
and it would be nice to block the traffic there before it even gets
into my network.

-Larry
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

beww at beww

Oct 20, 2007, 9:24 PM

Post #20 of 23 (3610 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

Larry Sanderson wrote:
>> You can do everything in iptables - forget denyhosts or external
>> scripts:
>>
>> /sbin/iptables -N SSH
>> /sbin/iptables -F SSH
>> /sbin/iptables -A SSH -m recent --name SSH --set --rsource
>> /sbin/iptables -A SSH -i ! ${IFext} -j RETURN
>> /sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3
>> --name SSH --rsource -j RETURN /sbin/iptables -A SSH -j DUMP
>>
>> (IFext is my external interface).
>>
>> then just jump to the rule chain, and accept the packet if it makes
>> it through:
>>
>> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -m state
>> --state NEW -j SSH
>> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -j ACCEPT
>
> As I read this, you are limiting connections to 3 per minute, yes? I
> have looked for a way to use iptables to find offending connections
> (say, more than six in a minute) and then blacklist them for 5 minutes.
> Also, I would like a way to increase the blacklist time for repeat
> offenders.
>
> This approach appeals to me since I use openwrt as my primary router,
> and it would be nice to block the traffic there before it even gets
> into my network.

See my comment on the ProSafe units. How many of us really need to have
ssh access from any IP in the world at any time of day? Restricting the
IPs that can get through really cuts down on the possible problems.

beww
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

justin at smithpolglase

Oct 21, 2007, 5:21 AM

Post #21 of 23 (3593 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

> Jay R. Ashworth wrote:
>> > If you've tunneled SSH traffic through to your Mythbox, you're likely
>> > the target of brute-force SSH attacks, some of which might well work.
>> >
>> > The most elegant solution I've found so far is here:
>> >
>> > http://www.la-samhna.de/library/brutessh.html#5
>> >
>> > This won't block attacks that "know" about a specific bug in your sshd,
>> > so you need to stay updated, but for the dictionary attacks it will
>> > work nicely, and it'll sure keep your logs from growing without
>> > bounds...
>
> I use one called DenyHosts (http://denyhosts.sourceforge.net/) which is
> very flexible and powerful; nearly completely automatic once set up.

I use fail2ban which is a python script which monitors log files for repeated
failed authentications, then blocks the respective IP address temporarily using
iptables. As well as ssh, it can also be easily set up for apache, ftp, mail, etc.

I have set up to email me when it blocks an IP address. I get around 5 emails a day.

http://www.fail2ban.org/

It's available as a package for the common distributions.

Cheers,
Justin.
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

mythtv at michaelstarks

Oct 21, 2007, 9:04 AM

Post #22 of 23 (3592 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

mikemacleod at gmail

Oct 22, 2007, 12:12 AM

Post #23 of 23 (3572 views)
Permalink

Re: Semi-OT: Blocking Brute Force SSH attacks [In reply to]

On 10/20/07, David Kramer <david[at]thekramers.net> wrote:
> I use one called DenyHosts (http://denyhosts.sourceforge.net/) which is
> very flexible and powerful; nearly completely automatic once set up.

Another vote for denyhosts. I have it installed on a couple of world
facing computers, and it's fantastic. Particularly slick is if you
enable the sync feature. All the hosts running DenyHosts can sync
their block lists to a central server. You can set parameters for
which hosts from the central database you pull out (for instance only
hosts that have attacked two computers in the pool, etc).

As a bonus, any application you run that respects
hosts.allow/hosts.deny is protected.

Mike
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com