Someone Trying To Brute My Ssh

[G-Stress]

Hey guys. I just happen to witness someone trying to brute my ssh connection. I hop on the server and notice my winsshd event/logs are notifying me like crazy of someone trying to log in with username root, but fails. I did an nslookup on the ip and this was the output

Name:    67-23-32-241.static.cloud-ips.com
Address:  67.23.32.241

I immediately turned the port forward off, but I'm curious how would a sysadmin approach such an issue? Instead of turning off my port forward, is there a way I can say block an ip if it fails after so many attempts or such?

Also I'm curious how this "user" was trying to brute me using the cloud I assume judging from the lookup result?

[Raziel]

From a sysadm point of view, I would block the subnet for a week on the firewall.

This also might be a good time to make sure you're not allowing root logins over ssh.

[bobbyb1980]

This is very common, at least in my limited experience. They're probably automated bots.

You can limit the number of attempts per mintue in IPtables. Careful though if you're working on a machine where SSH is your only access to it. You can also disable root logins and/or enable SSH keys as the login method.

[Raziel]

That's a good point. Disabling logins is good practice and move to a key authentication would be a good idea unless you needed the user / password login method.

[G-Stress]

I am actually using key authentication thanks to Darren and the hak5 crew for the recent segment series:) I do remember a scene from the movie "Firewall" with Harrison Ford, when someone was trying to brute in and he had the admin do something with IPtables, however I'm not running any variant of linux right now so that's not really an option for me. I will disable password authentication and only use public keys.

However if something like this happens again though password auth. would be disabled, but this could still serve as a DoS attack from so many attempts to log in. I'm wondering if there is a way to say "okay this ip had tried to log in with these credentials this many times and failed, ban/block this IP"

[bobbyb1980]

I'm wondering if there is a way to say "okay this ip had tried to log in with these credentials this many times and failed, ban/block this IP"

You could create a script that monitors the log file and if there are x ammount of failed attempts, it will append that IP to /etc/hosts.deny.

This can also be done at the firewall level.

[digip]

If you own the server, and have complete control, try Dave Kennedy's Artillery and set up some honey ports that do nothing. If people connect to the dummy ports, it will auto ban them for you.

https://www.secmaniac.com/download/

I know BWall is also working on some PHP stuff for people who try RFI attacks, like TimTHumb flaws and he also works on some firewall stuff, worth looking into.

[manouche]

I assume you have changed the external port from the SSH standard of 22 to something high and random. If you are using 22 you will get the world of bots cherry knocking, I find it amazing how simply changing the port now and again reduces this to virtually nothing.

[vdub]

I assume you have changed the external port from the SSH standard of 22 to something high and random. If you are using 22 you will get the world of bots cherry knocking, I find it amazing how simply changing the port now and again reduces this to virtually nothing.

This was going to be my suggestion.

Simply changing the port helps a lot. I keep port 22 on the system but block 22 at the router and foreword another port to 22 the system I ssh to.

Also like others have said, disable root logins. There is no reason to have root use ssh. its to easy to just su once you are logged in.

[BugsB]

Alas I have been a victim of bot brute forcing. Since then I have buffed my security. I now use key authentication on a different port. (ie port 67839 rather then port 22) and close port 22 at my firewall. . I also have ddclient installed which bans an ip after 5 failed attempts. Also have disabled root logins.

[barry99705]

Blocking China, Russia, and the Middle Eastern countries stops a lot of this crap too.

[vdub]

Blocking China, Russia, and the Middle Eastern countries stops a lot of this crap too.

I do that on my website.

Since I run a local computer repair buisness I don't care if people from other country’s can see my site. Its stopped all of the SEO spam emails though my contact page. Also almost completely stopped all hack attempts. I use the country ban module for Drupal. It works well. It gives a php error to IP addresses in the country’s you select. As far as they know your sites just messed up.

[G-Stress]

I don't know what I was thinking. I usually NEVER run any service on their default ports at all. I did change the port. I'll disable root logins as well, though I'm not to sure how to block China, Russia, etc. When I was running an FTP years ago and had this same issue, I believe it was coming from China.

@ digip,

I'll look into that. I assume it's linux based only? That's fine though I've wanted to setup a honey pot for some time to play with.

Thanks guys for all the info!

[vdub]

I don't know what I was thinking. I usually NEVER run any service on their default ports at all. I did change the port. I'll disable root logins as well, though I'm not to sure how to block China, Russia, etc. When I was running an FTP years ago and had this same issue, I believe it was coming from China.

@ digip,

I'll look into that. I assume it's linux based only? That's fine though I've wanted to setup a honey pot for some time to play with.

Thanks guys for all the info!

Here's a way to do it with iptables.

http://www.cyberciti.biz/faq/block-entier-country-using-iptables/

[digip]

I don't know what I was thinking. I usually NEVER run any service on their default ports at all. I did change the port. I'll disable root logins as well, though I'm not to sure how to block China, Russia, etc. When I was running an FTP years ago and had this same issue, I believe it was coming from China.

@ digip,

I'll look into that. I assume it's linux based only? That's fine though I've wanted to setup a honey pot for some time to play with.

Thanks guys for all the info!

Talk to https://twitter.com/bwallHatesTwits. he does do IPTABLES stuff, but his scanner part can work in PHP cross platform, and probably adapted to notify windows firewall rules, etc. Hes a smart fellow that one, and might have some other tricks you can play with. (he has a profile on these forums too).

[redhook]

Change the port from 22 to something above 1024 and require a key for login.

[Jason Cooper]

I don't know if winsshd supports the "match address" configuration option, but if it does that will let you specify different configurations for connections from different addresses. This can very useful if you want to use keys from outside your trusted network but are happy to allow password access from your trusted network. Simply set the defaults up to require keys and then use the "match address" option to define the IP ranges that you will allow passwords authentication from. It is also very useful for that third party supplier that needs password access to the server and can't use keys.

[Infiltrator]

You could implement, port knocking, it would be more effective.

http://www.portknocking.org/view/details

[G-Stress]

I think I'll stick with key authentication only, I like it better. As for this port knocking, it looks interesting. However if I understand it right I would need to add the "allowed" ip addresses to the configuration of setting this up? That is an issue, because if I'm on a public hotspot it's possibly going to be a dynamic ip and I don't want to add a "coffee shop's" ip to my allowed list. Is that the case of setting that up?

Looks interesting. Another thing that just made me think of is I remember and episode where darren would connect to a service on a certain open port and there was a utility or something that would bind or forward that port to the port the actual service was running on. e.g. "ssh to port 8080 and the server would forward that incoming connection to port 22 on the server", but would that be anymore secure or beneficial then just running the service on a different port?

[Jason Cooper]

Looks interesting. Another thing that just made me think of is I remember and episode where darren would connect to a service on a certain open port and there was a utility or something that would bind or forward that port to the port the actual service was running on. e.g. "ssh to port 8080 and the server would forward that incoming connection to port 22 on the server", but would that be anymore secure or beneficial then just running the service on a different port?

Straight forward redirect would be the same as running the service on a different port. Most port forwarding configurations on SOHO routers will let you forward to a different port. So you could run the ssh service on port 22 and have the port 1234 forwarded from your external IP to port 22 on your local server. The main advantage of this is that you only have to remember the different port on devices connecting from outside your internal network, those devices inside can just use the default port.