SSH Gets Attacked

SSH

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ’00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.

Share
  • Pingback: Wampiryczny blog

  • http://www.wyae.de/ Volker

    4.) Use key authentication *only* instead of password authentication.

  • http://jbrownsec.blogspot.com jbrown

    Righto Volker, forgot to mention pub key ;)

  • http://www.codingaloud.com Gil Megidish

    I’ve seen some boxes of mine get daily brute force ssh password attacks. Soon I’ll just install an IDS penalty that blocks traffic from a certain ip after 5 password failures. Often I connect from other computers (that I trust,) and my home ip is dynamic, so I won’t limit to certain ranges.

    Another thing, which is quite funky, is to just block all ssh traffic (ipchains,) and have a cgi that opens up firewall access to a specific client that has the right http password. Although you just replaced one password with another, but attackers will just give up when nmapping your box yields only http :)

  • http://www.trollbeads-and-more.de Nicole Trollbeads

    Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.