Attacks via SSH

ericmurphy

Registered
I have ssh enabled on my machine for remote access. Hey, it's better than telnet, right? Anyway, I was perusing the /var/log/secure.log file, and noted a lot of failed authentication attempts against what appears to be guesses of accounts on the machine (e.g., "test," "root," "user," "admin," etc.). This is worrying, obviously.

I really do need to keep ssh access enabled on my machine. But I really only need that access from one IP address. Granted, IPs can be spoofed, but it can't hurt to restrict access via SSH to certain IP addresses. Is there a relatively straightforward way to do this? I'm planning on purchasing a hardware firewall (mainly to close ports that I need open for LAN access that should be closed for WAN access) which should be able to do it, but in the meantime, it would be nice to do it via ipfw. Can I just edit the ipfw rules file?
 
You should be able to block incoming ssh connections from everywhere except for a single IP. I can't give you the ipfw rules, but I've done this kind of thing on Linux using iptables so I imagine OS X would be able to do this using ipfw.

Maybe this site might be of help.

Peace...
 
You can also configure sshd to use private key authentication, which will make sshd impossible to break into with such automated «brute force» attacks. And/or block hosts after e.g. three failed attempts.
 
This problem is consistant accross the board. On my Linux machines I get about 1000 failed attempts a week. Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.

Take a look.
Good luck,
James
 
jmarcus said:
This problem is consistant accross the board. On my Linux machines I get about 1000 failed attempts a week. Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.

Take a look.
Good luck,
James

I did not write impossible to break into, but impossible to break into with such automated «brute force» attacks.

Or should we say «everything is relative?» ;)

Using a 2048 bit RSA encryption without public key negotiation, there are
2^2048 options. If every attempt takes a second, the process of breaking into the system will take up to 512382770029664626152886806961408421493596249836940069002573969868161072090117498940848576413034523460310723632069666722065568860199310646484781715919081099705588491998049785828104352967872464909881685032725576615245944613182073759542080389689183321768481193747404633480586883110430393972088286388951204742546840648618536631479657768686018669058475647439851630804125533665192576622089997370469599709287435260114529485642786931722449758249328480219490385800882915259181977497317672021263906356654796478146856649236692953054382249942177172726654064662440343346391459529319343046761137725218038879273780023006398 years.
 
Only if it's the _last_ option, right. ;) ... But really: The problem more often than not is not a brute-force attack but that OpenSSH has a known (and exploited) bug* which lets you somehow circumvent the security measures. Hence you have to turn SSH off if you don't need it and if you have to turn it on keep it updated well and, if you can, only let known IPs/hosts connect at all.

*Not talking about a specific bug here, of course.
 
jmarcus said:
This problem is consistant accross the board. On my Linux machines I get about 1000 failed attempts a week. Recently I found www.denyhosts.com which checks your log files for failed logins and adds them to hosts.deny. Oh and KSV impossible is a big statement.
Do you mean DenyHosts?

fryke said:
But really: The problem more often than not is not a brute-force attack but that OpenSSH has a known (and exploited) bug* which lets you somehow circumvent the security measures. Hence you have to turn SSH off if you don't need it and if you have to turn it on keep it updated well and, if you can, only let known IPs/hosts connect at all.
I think this is a very important point to keep in mind. You do not have to have the ssh daemon running to make outbound ssh connections. You need to have it running only if you want to accept ssh connections to your machine from remote. If you always use ssh to connect to other machines, don't run sshd.

If you tunnel X over ssh, I'm not sure if you need ssh running or not.

Peace...
 
tomdkat said:
If you tunnel X over ssh, I'm not sure if you need ssh running or not.

Peace...
Just to confirm -- that's a negative. You do not need the sshd daemon running in order to tunnel X over ssh.
 
Back
Top