Logo Background

SSH Brute Force Attack Defense

  • By on August 23, 2008 | No Comments

    One night, Jimmy has monitor his SSH log and saw some suspicious entry in the log:

    Jun 24 22:15:52 oceana sshd[11632]: Failed password for www from 218.22.3.51 port 39766 ssh2
    Jun 24 22:16:24 oceana sshd[11678]: Failed password for news from 218.22.3.51 port 40394 ssh2
    Jun 24 22:16:33 oceana sshd[11687]: Failed password for games from 218.22.3.51 port 40563 ssh2
    Jun 24 22:17:22 oceana sshd[11747]: Failed password for cvs from 218.22.3.51 port 41462 ssh2

    We can see that someone is trying to brute force login through the SSH. Theoretically, you should be safe from them, as long as your users use adequately strong passwords and the attacks don’t persist for long enough to try a significant number of possible passwords. However, such attacks can make it more difficult to spot other attacks that might pose a more significant risk to your systems. Because of this, you’ll want to put a stop to them quickly.

    Brute Force Attack And Defense

    There are few ways to act as a countermeasure for the brute force attack: –

    a)

    Changing the SSH listening port

    The most simple thing to do is to tell the SSH daemon to listen on a nonstandard port. For example, to have sshd listen on port 2200 instead of 22, where you can change in your sshd_config file.

    b)

    Firewalling the SSH Daemon

    The most restrictive approach is to allow connections to your sshd only from a specific list of IP addresses (i.e., a whitelist).

    For instance, you could use something similar to the following PF rules:

    table <ssh_allow> { 10.0.0.47, 10.0.0.98, 10.0.0.27 }
    block from any to any port 22
    pass from <ssh_allow> to any port 2

    2

    However, this is obviously of limited use if your users need to be able to connect to their accounts when traveling.

    c)

     Rate-limiting SYN packets

    The last approach is to rate-limit SYN packets going to the port on which your SSH daemon is listening. The effect of this should be unnoticed by legitimate users, but it will delay an attacker that is making many repeated connections because it allows only a certain number of undelayed connections. For instance, PF lets you specify a rate for any stateful rule. This one limits the connection rate to port 22 to three per minute:

    pass inet proto tcp from any to any port 22 keep state (max-src-conn-rate 3 / 60)

    This will most likely cause the attacker to give up, because of the inordinate amount of time that will be needed to successfully brute-force an account.

    Previous
    Next
    » Nmap Port Scanner Audit
Leave a Comment