[CentOS] One approach to dealing with SSH brute force attacks.

Fri Feb 1 23:15:13 UTC 2008
mouss <mouss at netoyen.net>

Les Bell wrote:
> mouss <mouss at netoyen.net> wrote:
>
>   
> If you consider this security through obscurity, then why not publish
> the list of your users on a public web page? after all, you should use
> strong passwords, so why hide usernames?
> <<
>
> Usernames are comparatively hard to guess, and chosen from a large space -
> although email addresses often provide a huge clue. By contrast, there are
> only 64K port numbers (and only 1K privileged ports, all of which will be
> scanned by default with nmap) - and to make it worse, the attacker only has
> to telnet or nc to a port and sshd will obligingly send back its version
> number and protocol version info as plaintext. So, the added "obscurity" is
> effectively zero.
>   

zero? No. On all the boxes where I changed the port, I noticed 0 login 
attempt (in ssh logs). before that, the boxes were under continuous 
attacks (the last box that was installed was probed one second after it 
was connected! after the port change, nothing in ssh logs). call this 
zero if you want.

I do understand that changing the port does not bring real security. but 
it avoids silly malware probes. An attacker needs to find the port among 
say 30K possible ports. if he uses one host, he will trigger alarms 
before he gets a chance to see the banner. that gets us rid of such 
attempts, and more time to focus on real miscreants with more power.

> I sort of half-buy the log volume/noise argument, but rate-limiting and
> good analysis tools deal with this as well. 

not so long ago, there was a bug in fail2ban. It used "lose" parsing to 
get the IP to block. but an attacker could put the IP in the login name, 
which would result in blocking arbitrary IPs. of course, the problem was 
in the parsing and the solution is to fix the parsing. but if you get 
less probes, you are less vulnerable to such attacks.

> And it does nothing for the
> stress level, since the serious adversary will see through your
> non-standard port number in seconds.
>   

sure, but he needs to use multiple hosts, as otherwise he will be 
detected. I've not yet seen a "distributed" dictionary attack (I mean: 
using N machines against a singe target). I guess there are enough 
windows targets that they leave at in piece for now ;-p