[KLUG Members] Automated SSH attacks.

[Bruce Smith]

I'm sure many of you who run SSH servers (and check your log files) have
seen an ever increasing activity of a new cracking program that tries
various users and passwords.  Here is a _small_ sample of the KLUG log:

Feb  2 18:54:32 klug sshd[1599]: Illegal user webmaster from ::ffff:67.121.46.130
Feb  2 18:54:33 klug sshd[1601]: Illegal user data from ::ffff:67.121.46.130
Feb  2 18:54:34 klug sshd[1603]: Illegal user user from ::ffff:67.121.46.130
Feb  2 18:54:41 klug sshd[1617]: Illegal user master from ::ffff:67.121.46.130
Feb  2 18:54:43 klug sshd[1621]: Illegal user backup from ::ffff:67.121.46.130
Feb  2 18:54:47 klug sshd[1629]: Illegal user frank from ::ffff:67.121.46.130
Feb  2 18:54:48 klug sshd[1631]: Illegal user george from ::ffff:67.121.46.130
...

There are a number of things that help make you more secure, and some
may work better than others depending on the individual circumstances.
Here are some (options can be combined):

1)  Change the port SSHD listens on.  It only makes your server harder
to find, but should help eliminate a lot of log entries from automated
cracking bots.  It's also a pain for the users since they have to
specify an alternate port when they connect.

2)  Do not allow password authentication, and restrict all logins to
RSA/DSA SSH keys.  This enhances security a lot, but the cracking bots
still keep trying and adding the above annoying entries to your log.

Those are the easy solutions, but may not be practical under all
circumstances, so I started searching for other ideas, and ask the
question on a mailing list dedicated to security.

One person recommended "swatch" with watches log files and can take
action depending on the results.  So it could watch for invalid SSH
logins in the log and block IP's w/iptables after a number of bad
attempts.  Here is a swatch script that does this (or so I'm told):
  http://bluedogsecurity.cyberinfo.se/ssh_block
I have not tried the above script or swatch yet, so YMMV.

Here is another solution suggested on the mailing list, and is the one
I've currently been playing with.  The first thing I did was set
"MaxAuthTries 2" in sshd_config so each SSH disconnects after a single
bad password and you have to run slogin again.

Then I combine the above with some fancy iptables rules using the
"recent" module, documented here:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.16

I created iptables rules that keep track of the number of connects (SYN)
per IP address, and if a certain number occur within a set amount of
time, it blocks the IP until the time has expired.  Here are the rules I
came up with (it also logs each time it happens).  If it detects 5 or
more login attempts from a unique IP within 60 seconds, it blocks that
IP for a minute (modify time/frequency to suit):

  iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -m recent --name sshattack --set
  iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j LOG --log-prefix 'SSH attack: '
  iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j DROP

The only down side is iptables can't tell a valid login from a failed
login, which isn't normally a problem unless you do a lot of slogin's
(or scp's) in a short period of time (in which case, you lock yourself
out for the time delay).  Other than that, it works pretty slick!

Thought I'd share.  Other ideas are welcome!

 - BS