Attacks via SSH

[ericmurphy]

I have ssh enabled on my machine for remote access. Hey, it's better than telnet, right? Anyway, I was perusing the /var/log/secure.log file, and noted a lot of failed authentication attempts against what appears to be guesses of accounts on the machine (e.g., "test," "root," "user," "admin," etc.). This is worrying, obviously.

I really do need to keep ssh access enabled on my machine. But I really only need that access from one IP address. Granted, IPs can be spoofed, but it can't hurt to restrict access via SSH to certain IP addresses. Is there a relatively straightforward way to do this? I'm planning on purchasing a hardware firewall (mainly to close ports that I need open for LAN access that should be closed for WAN access) which should be able to do it, but in the meantime, it would be nice to do it via ipfw. Can I just edit the ipfw rules file?

[tomdkat]

You should be able to block incoming ssh connections from everywhere except for a single IP. I can't give you the ipfw rules, but I've done this kind of thing on Linux using iptables so I imagine OS X would be able to do this using ipfw.

Maybe this site might be of help.

Peace...

[ksv]

You can also configure sshd to use private key authentication, which will make sshd impossible to break into with such automated «brute force» attacks. And/or block hosts after e.g. three failed attempts.

[jmarcus]

This problem is consistant accross the board. On my Linux machines I get about 1000 failed attempts a week. Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.

Take a look.
Good luck,
James

[ksv]

Quote:

Originally Posted by jmarcus

This problem is consistant accross the board. On my Linux machines I get about 1000 failed attempts a week. Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.

Take a look.
Good luck,
James

I did not write impossible to break into, but impossible to break into with such automated «brute force» attacks.

Or should we say «everything is relative?»

Using a 2048 bit RSA encryption without public key negotiation, there are
2^2048 options. If every attempt takes a second, the process of breaking into the system will take up to 512382770029664626152886806961408421493596249836940069002573969868161072090117498940848576 413034523460310723632069666722065568860199310646484781715919081099705588491998049785828104 352967872464909881685032725576615245944613182073759542080389689183321768481193747404633480 586883110430393972088286388951204742546840648618536631479657768686018669058475647439851630 804125533665192576622089997370469599709287435260114529485642786931722449758249328480219490 385800882915259181977497317672021263906356654796478146856649236692953054382249942177172726 654064662440343346391459529319343046761137725218038879273780023006398 years.

[fryke]

Only if it's the _last_ option, right. ... But really: The problem more often than not is not a brute-force attack but that OpenSSH has a known (and exploited) bug* which lets you somehow circumvent the security measures. Hence you have to turn SSH off if you don't need it and if you have to turn it on keep it updated well and, if you can, only let known IPs/hosts connect at all.

*Not talking about a specific bug here, of course.

[tomdkat]

Quote:

Originally Posted by jmarcus

This problem is consistant accross the board. On my Linux machines I get about 1000 failed attempts a week. Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.

Do you mean DenyHosts?

Quote:

Originally Posted by fryke

But really: The problem more often than not is not a brute-force attack but that OpenSSH has a known (and exploited) bug* which lets you somehow circumvent the security measures. Hence you have to turn SSH off if you don't need it and if you have to turn it on keep it updated well and, if you can, only let known IPs/hosts connect at all.

I think this is a very important point to keep in mind. You do not have to have the ssh daemon running to make outbound ssh connections. You need to have it running only if you want to accept ssh connections to your machine from remote. If you always use ssh to connect to other machines, don't run sshd.

If you tunnel X over ssh, I'm not sure if you need ssh running or not.

Peace...

[ElDiabloConCaca]

Quote:

Originally Posted by tomdkat

If you tunnel X over ssh, I'm not sure if you need ssh running or not.

Peace...

Just to confirm -- that's a negative. You do not need the sshd daemon running in order to tunnel X over ssh.