|
Title: SSH Brute Force Attacks Post by: cgimusic on January 19, 2012, 12:34:41 AM I would just like to point out that there have been several SSH attacks against my computer today that seem to be specifically targeting Bitcoin users. I believe the target IPs to be scraped from the Bitcoin network itself. I received about 100 login attempts to accounts called "bitcoin", "bitcoin1", "bitcoin2" and "namecoin" from an IP in China (220.165.5.4). If anyone knows what particular Bitcoin client or setup these attacks are targeting it would be useful to know, otherwise I would just like to remind everyone to keep their SSH secure, ideally with the AllowUsers directive to allow only specific accounts SSH access.
Title: Re: SSH Brute Force Attacks Post by: grue on January 19, 2012, 02:55:04 AM or ip ban after 5 failed attempts
Title: Re: SSH Brute Force Attacks Post by: Ente Erstickenfickėr on January 19, 2012, 06:38:31 AM I would just like to point out that there have been several SSH attacks against my computer today that seem to be specifically targeting Bitcoin users. I believe the target IPs to be scraped from the Bitcoin network itself. I received about 100 login attempts to accounts called "bitcoin", "bitcoin1", "bitcoin2" and "namecoin" from an IP in China (220.165.5.4). If anyone knows what particular Bitcoin client or setup these attacks are targeting it would be useful to know, otherwise I would just like to remind everyone to keep their SSH secure, ideally with the AllowUsers directive to allow only specific accounts SSH access. You might catch even more stuff you don't want if you firewall your machine in general. Many people get by fine blocking anything Chinese from coming in. I firewall out about 70% of the IPV4 address space and don't miss anything by doing so. If you have linux or BSD, you can use TCP wrappers and a program like denyhosts to dynamically detect and lock out SSH probers, which are very common due to a few common security tools that seem to turn up in use a lot. http://en.wikipedia.org/wiki/TCP_Wrapper Title: Re: SSH Brute Force Attacks Post by: vbscarred on January 19, 2012, 09:18:49 AM SSH attacks are a common fact of life for anyone operating a server. fail2ban is a fairly decent tool to handle them. http://www.fail2ban.org I agree. Another, and even more effective way to protect against SSH brute force attacks is to change the port the SSH server is running on. I used to get over 1000 brute force attempts per day during the beginning of 2011. After installing fail2ban it went down to 30-40 attempts per day. Then I changed the SSH port to a port in the mid 1000's, which did the trick fully. The last three months, I've had one (1) failed login attempt, and I'm pretty sure that was me, mistyping the password. Also, I created this Bash alias to track failed SSH login attempts: Code: alias failedlogin='sudo cat /var/log/auth.log* | grep '\''Failed password'\'' | grep sshd | awk '\''{print $1,$2}'\'' | sort -k 1,1M -k 2n | uniq -c'As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security. Title: Re: SSH Brute Force Attacks Post by: Ente Erstickenfickėr on January 19, 2012, 02:08:13 PM SSH attacks are a common fact of life for anyone operating a server. fail2ban is a fairly decent tool to handle them. http://www.fail2ban.org I agree. Another, and even more effective way to protect against SSH brute force attacks is to change the port the SSH server is running on. I used to get over 1000 brute force attempts per day during the beginning of 2011. After installing fail2ban it went down to 30-40 attempts per day. Then I changed the SSH port to a port in the mid 1000's, which did the trick fully. The last three months, I've had one (1) failed login attempt, and I'm pretty sure that was me, mistyping the password. Also, I created this Bash alias to track failed SSH login attempts: Code: alias failedlogin='sudo cat /var/log/auth.log* | grep '\''Failed password'\'' | grep sshd | awk '\''{print $1,$2}'\'' | sort -k 1,1M -k 2n | uniq -c'As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security. Two good tips, thank you for bringing them here. Title: Re: SSH Brute Force Attacks Post by: Emil on January 19, 2012, 06:22:45 PM Another option is port knocking, where your SSH port remains closed until you send a specific sequence of packets. Then the port is temporarily opened for your IP address, and then reclosed shortly after. A form of security by obscurity, but effective if you're network packets aren't being actively sniffed.
http://en.wikipedia.org/wiki/Port_knocking Title: Re: SSH Brute Force Attacks Post by: jsgarvin on January 20, 2012, 03:56:58 AM As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security. I concur. |