LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-14-2007, 05:01 AM   #1
_kure_
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Rep: Reputation: 0
Angry Punishing users for SSH attack


Hello,

I would like to ask you for suggestion. I have a server, which gets regularly attack via ssh. Of course, I block the user after several unsuccessful logins via fail2ban but I would like to go further.

Usually, I can't track the IP. Traceroute ends somewhere in China or stops after hitting 30 or 40 hops leading nowhere. However, from time to time I can easily track the user, last example was a static IP from Italy (probably script kiddie, because he/she tried it two times in two weeks, not typical for a botnet). I contacted the ISP (one of the Italian biggest), they said they are going to investigate the situation and didn't reply any more.

I believe users are responsible for their computers, especially that they have to deploy a certain level of minimal security. It's is similar to having a lock-and-loaded assault rifle lying in front of your door all the time without any security - you will be investigated by the police if somebody commits a murder with that gun.

So, I would like to ban these users, not just from my server, but on a global scale. If the ISP doesn't react, let's ban whole subnet. Why not? There are far to many computers to loose too many visitors or clients.

Is there any such 'global' blacklist for ssh, or possibly including all those ********* in botnets sending spam?
 
Old 08-14-2007, 06:31 AM   #2
crashmeister
Senior Member
 
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541

Rep: Reputation: 47
The ISP wont do anything.After all they are not responsible for that.Would be a different business if it was spam or a phishing website.I reported one of those the other day and it was down within 1 hour.

Stuff like that is going on all the time - no reason to get excited.
 
Old 08-14-2007, 07:10 AM   #3
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 61
I don't think it is the responsibility of the ISP to manage what users do and do not do. Blocking a whole subnet is a problem, because what about innocent users.

I would suggest using public / private key authentication to improve security. Alternatively, use your firewall to limit SSH access to only those IP addresses that require it.

--Ian
 
Old 08-14-2007, 12:18 PM   #4
_kure_
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Security is not a problem, attackers are banned after three wrong passwords / usernames.

However, I think there is no way to make users secure their computers in first place, so making their life harder by forcing their ISP to send them emails / letters is much better (and if ISP's don't do anything - let's ban whole subnet, all of their customers won't have access to the server - why not?)
 
Old 08-14-2007, 12:57 PM   #5
bakfupai
Member
 
Registered: Apr 2006
Location: Sweden
Distribution: CentOS, RHEL, SourceMage, OpenBSD
Posts: 40

Rep: Reputation: 15
Yeah, real clever. Then I can just borrow a computer (like at a library), ssh three times and BAM! The entire subnet can't access tons of sites (assuming someone would actually go through with this).

And honestly, you want to go after someone for sshing twice to your server? I, for one, think continuous attacks actually improves security in the long run.
 
Old 08-16-2007, 11:37 AM   #6
ArcLinux
Member
 
Registered: Apr 2005
Location: Fargo, ND
Distribution: Slackware, CentOS
Posts: 87

Rep: Reputation: 20
Post

try hosts.allow...

block all sshd and any other service that you want protected from everywhere except from where you specify.
 
Old 08-16-2007, 01:02 PM   #7
_kure_
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by ArcLinux View Post
try hosts.allow...

block all sshd and any other service that you want protected from everywhere except from where you specify.
Great. Now I can log to my server from an internet café when I'm hundreds of kilometres away and something bad happens (always when you don't need it) :-D
 
Old 08-16-2007, 03:05 PM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by crashmeister View Post
The ISP wont do anything.After all they are not responsible for that.Would be a different business if it was spam or a phishing website.I reported one of those the other day and it was down within 1 hour.

Stuff like that is going on all the time - no reason to get excited.
SOME ISPs won't. Some will. I've actually seen responses, but the situations were different, as the attackers weren't just scanning port 22...they were attempting broad scans or even attempting exploits.

The OP has a point. The IP block owners have some responsibility in ensuring people they sell services to adhere to the TOS that every company has. It's either that, or nothing ever gets cleaned from being infected or trojaned...or no one ever gets their hands smacked for doing something that isn't condoned on the network. But where the OP gets a bit lost is the fact that its really not good to ban whole ranges of IPs. I believe someone in this thread mentioned attacking via a public library machine. Imagine if library netblocks were banned at a global level...people can't learn or conduct legitimate research, and all because of one user doing something bad and getting the whole library IP space banned. Not good.

Use SSH key authentication...that'll stop a majority of the scans right off the bat. Configure your firewall to only allow certain traffic from certain IPs. Use tcp-wrappers if you want, or fail2ban or something similar (bruteforceblocker or sshguard). There are other ways to harden your machines.
 
Old 08-16-2007, 11:36 PM   #9
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Quote:
I have a server, which gets regularly attack via ssh. Of course, I block the user after several unsuccessful logins via fail2ban but I would like to go further.
Use Telnet. No one ever looks there anymore.

Move it off port #22 and don't allow passwords for network logins and no one can attempt passwords for network logins.

I used to tarpit scans to tcp/22, but since they calmed down alot now tarpit is busy with that SAV worm thingy on 2967/tcp.

Years ago, before I did the above, I had this guy connect to sshd and sit there trying passwords. I think it was something like 12 minutes from start to finish, and he filled pages and pages of logs with dumb logins like 'www' and 'god' and 'John'. When I sent the logs to his ISP, they replied back and said they terminated his account...

@OP: if you really are set on allowing passworded ssh to everywhere on the default port, at least put a port-knock sequence in front of it.
 
  


Reply

Tags
attack, blacklist, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dos Attack on SSH Tunnel SPEEDEX Linux - Networking 3 04-08-2007 11:58 AM
SSH users jeucken Linux - Networking 10 05-31-2006 03:10 PM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 09:00 PM
My konqueror is punishing me!! pradeepmenon777 Mandriva 6 08-17-2005 11:34 AM
Preventing local users from "text flooding" a terminal (DoS attack)... khermans Linux - Security 2 09-24-2003 07:56 AM


All times are GMT -5. The time now is 12:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration