Bitcoin Forum
December 03, 2016, 08:03:49 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: SSH Brute Force Attacks  (Read 1601 times)
cgimusic
Newbie
*
Offline Offline

Activity: 1


View Profile
January 19, 2012, 12:34:41 AM
 #1

I would just like to point out that there have been several SSH attacks against my computer today that seem to be specifically targeting Bitcoin users. I believe the target IPs to be scraped from the Bitcoin network itself. I received about 100 login attempts to accounts called "bitcoin", "bitcoin1", "bitcoin2" and "namecoin" from an IP in China (220.165.5.4). If anyone knows what particular Bitcoin client or setup these attacks are targeting it would be useful to know, otherwise I would just like to remind everyone to keep their SSH secure, ideally with the AllowUsers directive to allow only specific accounts SSH access.
1480795429
Hero Member
*
Offline Offline

Posts: 1480795429

View Profile Personal Message (Offline)

Ignore
1480795429
Reply with quote  #2

1480795429
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480795429
Hero Member
*
Offline Offline

Posts: 1480795429

View Profile Personal Message (Offline)

Ignore
1480795429
Reply with quote  #2

1480795429
Report to moderator
1480795429
Hero Member
*
Offline Offline

Posts: 1480795429

View Profile Personal Message (Offline)

Ignore
1480795429
Reply with quote  #2

1480795429
Report to moderator
1480795429
Hero Member
*
Offline Offline

Posts: 1480795429

View Profile Personal Message (Offline)

Ignore
1480795429
Reply with quote  #2

1480795429
Report to moderator
grue
Global Moderator
Legendary
*
Offline Offline

Activity: 1932



View Profile
January 19, 2012, 02:55:04 AM
 #2

or ip ban after 5 failed attempts

It is pitch black. You are likely to be eaten by a grue.

Tired of annoying signature ads? Ad block for signatures
Ente Erstickenfickër
Newbie
*
Offline Offline

Activity: 13


View Profile
January 19, 2012, 06:38:31 AM
 #3

I would just like to point out that there have been several SSH attacks against my computer today that seem to be specifically targeting Bitcoin users. I believe the target IPs to be scraped from the Bitcoin network itself. I received about 100 login attempts to accounts called "bitcoin", "bitcoin1", "bitcoin2" and "namecoin" from an IP in China (220.165.5.4). If anyone knows what particular Bitcoin client or setup these attacks are targeting it would be useful to know, otherwise I would just like to remind everyone to keep their SSH secure, ideally with the AllowUsers directive to allow only specific accounts SSH access.

You might catch even more stuff you don't want if you firewall your machine in general. Many people get by fine blocking anything Chinese from coming in. I firewall out about 70% of the IPV4 address space and don't miss anything by doing so. If you have linux or BSD, you can use TCP wrappers and a program like denyhosts to dynamically detect and lock out SSH probers, which are very common due to a few common security tools that seem to turn up in use a lot.

http://en.wikipedia.org/wiki/TCP_Wrapper
vbscarred
Newbie
*
Offline Offline

Activity: 11


View Profile
January 19, 2012, 09:18:49 AM
 #4

SSH attacks are a common fact of life for anyone operating a server.
fail2ban is a fairly decent tool to handle them.
http://www.fail2ban.org

I agree. Another, and even more effective way to protect against SSH brute force attacks is to change the port the SSH server is running on.

I used to get over 1000 brute force attempts per day during the beginning of 2011. After installing fail2ban it went down to 30-40 attempts per day. Then I changed the SSH port to a port in the mid 1000's, which did the trick fully. The last three months, I've had one (1) failed login attempt, and I'm pretty sure that was me, mistyping the password.

Also, I created this Bash alias to track failed SSH login attempts:

Code:
alias failedlogin='sudo cat /var/log/auth.log* | grep '\''Failed password'\'' | grep sshd | awk '\''{print $1,$2}'\'' | sort -k 1,1M -k 2n | uniq -c'

As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security.
Ente Erstickenfickër
Newbie
*
Offline Offline

Activity: 13


View Profile
January 19, 2012, 02:08:13 PM
 #5

SSH attacks are a common fact of life for anyone operating a server.
fail2ban is a fairly decent tool to handle them.
http://www.fail2ban.org

I agree. Another, and even more effective way to protect against SSH brute force attacks is to change the port the SSH server is running on.

I used to get over 1000 brute force attempts per day during the beginning of 2011. After installing fail2ban it went down to 30-40 attempts per day. Then I changed the SSH port to a port in the mid 1000's, which did the trick fully. The last three months, I've had one (1) failed login attempt, and I'm pretty sure that was me, mistyping the password.

Also, I created this Bash alias to track failed SSH login attempts:

Code:
alias failedlogin='sudo cat /var/log/auth.log* | grep '\''Failed password'\'' | grep sshd | awk '\''{print $1,$2}'\'' | sort -k 1,1M -k 2n | uniq -c'

As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security.

Two good tips, thank you for bringing them here.
Emil
Newbie
*
Offline Offline

Activity: 8


View Profile
January 19, 2012, 06:22:45 PM
 #6

Another option is port knocking, where your SSH port remains closed until you send a specific sequence of packets. Then the port is temporarily opened for your IP address, and then reclosed shortly after. A form of security by obscurity, but effective if you're network packets aren't being actively sniffed.

http://en.wikipedia.org/wiki/Port_knocking
jsgarvin
Newbie
*
Offline Offline

Activity: 15


View Profile
January 20, 2012, 03:56:58 AM
 #7

As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security.

I concur.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!