SSH Brute Force Attacks

Finally got tired enough of getting huge log files of SSH brute force attempts on all my machines. I tried several solutions, daily cron scripts, iptables (some machines don't have iptables installed) using the recent module, and a few other specious solutions but none of them did everything that I wanted across all the platforms and OS versions that we have running here and at the office for far too many reasons worth listing. So where do I turn to? Java, of course... 5 minutes later I had a working program, another 10 minutes to add in some comments so my buddies can play around with it, and you can get a copy as well: SSHBruteForce.java. Also, I've been collecting a list of links to relevant threads and advisories and what not. I'll go ahead and put up what I have here:
Security focus threads:
http://www.securityfocus.com/archive/75/389573/2005-05-14/2005-05-20/1 http://www.securityfocus.com/archive/121/376646/2005-05-14/2005-05-20/1

from Linode's forums, some good info here:
http://www.linode.com/forums/viewtopic.php?t=1157

info on the ssh probing kit:
http://dev.gentoo.org/~krispykringle/sshnotes.txt

Full Disclosure's thread:
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-10/0592.html

another thread (nothing much new here):
http://marc.theaimsgroup.com/?t=109098450600001&r=1&w=2

details of one of the attacks:
http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041102

a suggestion on how to stop the brute force attacks using strictly RSA keypair exchange:
http://www.securityfocus.com/infocus/1810

BSD forums with several links to ways of dealing with ssh brute force attacks:
http://undeadly.org/cgi?action=article&sid=20041231195454

first iptables solution:
http://blog.andrew.net.au/2005/02/17/

Thread about how to use iptables firewall to block probes:
http://msgs.securepoint.com/cgi-bin/get/netfilter-0505/62.html

another iptables solution:
https://lists.netfilter.org/pipermail/netfilter/2005-May/060299.html

an interesting fix: http://forum.bytemark.co.uk/viewtopic.php?pid=398

another fix:
http://jcs.org/notaweblog/2005-03-30/

Auto firewall script that checks the system logs (similar to SSHBruteForce.java):
http://ohno.mrbill.net/pipermail/linuxmanagers/2005-March/001741.html

Filed under: Computers


HOME, CONTACT, TWITTER