[SoCoSA/discuss] blocking brute force attacks

Eric Eisenhart freiheit at socosa.org
Thu Nov 29 09:50:34 PST 2007 

On Wed, Nov 28, 2007 at 11:44:14PM -0800, Sean wrote:
> My public IP servers periodically get attacked via brute force login
> attempts (FTP and SSH). I've attempted to solve this in the past using
> hosts.deny, but it ended up causing too many unwanted positives and
> was somewhat difficult to unblock an IP. Would you mind sharing with
> me what you've found to be effective? It's obviously hard to
> impossible to block non-us IPs from connecting via ftp or ssh, as I
> couldn't find anything on this other than what turned into a two-way
> flame war.

I think to a large extent, it really depends on exactly what your needs are
for legitimate SSH and FTP access.

In particular:

A) What accounts on the system?  Just root?  Others?  One other or many
   others?
B) What people?  Just you?  Just you and one or two people?  Hundreds?  Are
   they all fairly tech-savvy?
C) For FTP, just anonymous?
D) From what hosts?  A well-defined set?

Given that *huge* caveat, here's some options:
1) Use hosts.allow instead of hosts.deny -- that is, restrict access to only
   those hosts or networks with a legit need to SSH to your server.  In
   general, it's best to default deny everything and allow the specific
   things you want than to default allow and try to figure out what to deny.

   Downside: if you're going to be travelling or something like that, you'll
   probably want to open it up to the world before you go, until you figure
   out your network range.

2) Use iptables to do the same basic thing as #1, but at a kernel level.

3) Use ssh-key based authentication.  Don't use passwords at all.  This is
   what we do at my work for root access, even for hosts behind a firewall.. 
   You can put either "PermitRootLogin without-password" or
   "PasswordAuthentication no" in /etc/ssh/sshd_config to accomplish this,
   depending on whether you want it for all users or just root.

   Downside: Anybody who wants to log in will basically need to use the same
   workstation every time.  Or carry a USB key with the ssh key.

   Another downside: you'd still gets logs of attempts to guess passwords,
   but you wouldn't actually have to worry about it because they'd have zero
   chance of success.

4) Change SSH to run on a non-standard port.  The random password guessers
   generally won't try other ports and it will be harder to find.

   Downside: if there's more users than you, they might have trouble
   figuring this out.  Some SSH client software makes this easier than
   others.

5) Set up iptables with a secret handshake.  This is known as "port
   knocking".  Basically, you set it up so that when you try to connect to a 
   secret sequence of ports (say 100, then 200, then 300) it opens up the
   ssh port (22) for a short period of time (say, 30 seconds). 
   http://www.debian-administration.org/articles/268 shows an example of how
   to do it.  The only part missing is a shell script to run before ssh-ing.
   You should probably pick some different ports than that example.

   Downside: even more likely that other people can't figure out how to use
   it.

6) Only allow anonymous FTP access.  Then you might see some logs from
   people trying to guess passwords, but they're just wasting their time
   anyways.
-- 
Eric Eisenhart <freiheit at SoCoSA.org>
SoCoSA Founder and President
IRC: freiheit on irc.socosa.org
AIM/yahoo: falschfreiheit
Jabber/GTalk: freiheit at gmail.com

More information about the discuss mailing list