SSH Brute Force Attacks

[cgimusic]

I would just like to point out that there have been several SSH attacks against my computer today that seem to be specifically targeting Bitcoin users. I believe the target IPs to be scraped from the Bitcoin network itself. I received about 100 login attempts to accounts called "bitcoin", "bitcoin1", "bitcoin2" and "namecoin" from an IP in China (220.165.5.4). If anyone knows what particular Bitcoin client or setup these attacks are targeting it would be useful to know, otherwise I would just like to remind everyone to keep their SSH secure, ideally with the AllowUsers directive to allow only specific accounts SSH access.

[grue]

or ip ban after 5 failed attempts

[Ente Erstickenfickër]

I would just like to point out that there have been several SSH attacks against my computer today that seem to be specifically targeting Bitcoin users. I believe the target IPs to be scraped from the Bitcoin network itself. I received about 100 login attempts to accounts called "bitcoin", "bitcoin1", "bitcoin2" and "namecoin" from an IP in China (220.165.5.4). If anyone knows what particular Bitcoin client or setup these attacks are targeting it would be useful to know, otherwise I would just like to remind everyone to keep their SSH secure, ideally with the AllowUsers directive to allow only specific accounts SSH access.

You might catch even more stuff you don't want if you firewall your machine in general. Many people get by fine blocking anything Chinese from coming in. I firewall out about 70% of the IPV4 address space and don't miss anything by doing so. If you have linux or BSD, you can use TCP wrappers and a program like denyhosts to dynamically detect and lock out SSH probers, which are very common due to a few common security tools that seem to turn up in use a lot.

http://en.wikipedia.org/wiki/TCP_Wrapper

[vbscarred]

SSH attacks are a common fact of life for anyone operating a server.
fail2ban is a fairly decent tool to handle them.
http://www.fail2ban.org

I agree. Another, and even more effective way to protect against SSH brute force attacks is to change the port the SSH server is running on.

I used to get over 1000 brute force attempts per day during the beginning of 2011. After installing fail2ban it went down to 30-40 attempts per day. Then I changed the SSH port to a port in the mid 1000's, which did the trick fully. The last three months, I've had one (1) failed login attempt, and I'm pretty sure that was me, mistyping the password.

Also, I created this Bash alias to track failed SSH login attempts:

Code:

alias failedlogin='sudo cat /var/log/auth.log* | grep '\''Failed password'\'' | grep sshd | awk '\''{print $1,$2}'\'' | sort -k 1,1M -k 2n | uniq -c'

As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security.

[Ente Erstickenfickër]

SSH attacks are a common fact of life for anyone operating a server.
fail2ban is a fairly decent tool to handle them.
http://www.fail2ban.org

I agree. Another, and even more effective way to protect against SSH brute force attacks is to change the port the SSH server is running on.

I used to get over 1000 brute force attempts per day during the beginning of 2011. After installing fail2ban it went down to 30-40 attempts per day. Then I changed the SSH port to a port in the mid 1000's, which did the trick fully. The last three months, I've had one (1) failed login attempt, and I'm pretty sure that was me, mistyping the password.

Also, I created this Bash alias to track failed SSH login attempts:

Code:

alias failedlogin='sudo cat /var/log/auth.log* | grep '\''Failed password'\'' | grep sshd | awk '\''{print $1,$2}'\'' | sort -k 1,1M -k 2n | uniq -c'

As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security.

Two good tips, thank you for bringing them here.

[Emil]

Another option is port knocking, where your SSH port remains closed until you send a specific sequence of packets. Then the port is temporarily opened for your IP address, and then reclosed shortly after. A form of security by obscurity, but effective if you're network packets aren't being actively sniffed.

http://en.wikipedia.org/wiki/Port_knocking

[jsgarvin]

As a final tip, the most secure way to login to an SSH server is to login with a private key, which will save you from keyloggers. Storing this on a USB drive will increase this security.

I concur.