SSH password authentication insight and analysis by DRG
We've been writing about SSH brute force attempts for numerous times already. A lot of security researchers are collecting various information about such brute force attacks and numerous other tools exist that can prevent or block them.
DRG (Dragon Research Group), which is a volunteer research organization dedicated to further understanding of online criminality and to provide actionable intelligence for the benefit of the entire Internet community, last month published a very nice paper about such SSH brute force attempts. Among the other things, the paper lists a whole bunch of tools that can be used in order to limit or block SSH brute force attempts, and configuration recommendations that will help you increase security of your SSH installations. Check the paper at http://www.dragonresearchgroup.org/insight/sshpwauth-tac.html
Additionally, DRG is also publishing a list of IP addresses of SSH attackers that were detected on various pods DRG uses, that are spread around the world. This list is available at http://www.dragonresearchgroup.org/insight/sshpwauth.txt.
DRG also created a very cool tag cloud showing most common usernames and passwords that have been tried in latest SSH brute force attacks. The cloud is available at http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html - check it make sure there aren’t any of your passwords there :). Both the list and the cloud are updated every hour.
More information about DRG is available at http://www.dragonresearchgroup.org/ and I’m sure they could use more pod runners.
--
Bojan
INFIGO IS
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
Rob Dewhirst
Sep 7th 2010
1 decade ago
Ron
Sep 7th 2010
1 decade ago
cannball
Sep 7th 2010
1 decade ago
From the 'man sshd_config':
MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional
connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connec‐
tion. The default is 10.
Alternatively, random early drop can be enabled by specifying the three colon separated values
“start:rate:full” (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of
“rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability
increases linearly and all connection attempts are refused if the number of unauthenticated connections
reaches “full” (60).
Nerijus
Sep 8th 2010
1 decade ago
Anything other than a specific IP-blocking mechanism opens one up to DoS. This includes options that affect the operation of the ssh daemon and options that are specific to a username. Very simply, if an attacker knows (or guesses) a remote host is using an IPS method that somehow cripples the daemon or specifically blocks a username, all they have to do is continue to attack, even if they can't break in. This effectively denies/impacts access to legitimate users, the definition of DoS. Information Assurance covers many things other than unauthorized access. Protection against all of them is important.
The referenced article has some good options for IP-based blocking including sshblack and sshguard. Conceivably, there is a methodology for 'joe jobbing' or spoofing an IP address to get it blocked, but very unlikely with the ssh protocol.
24
Sep 15th 2010
1 decade ago