[SoCoSA/discuss] blocking brute force attacks
Kevan Benson
kbenson at a-1networks.com
Thu Nov 29 11:50:22 PST 2007
Sean wrote:
> I'm new to this group, and I'm hoping to meet other members at the next meeting.
>
> I'm still feeling my way a bit regarding the finer points of linux
> security (Debian Etch in my case), and I'm hoping that some of you can
> point me in a good direction on this.
>
> My public IP servers periodically get attacked via brute force login
> attempts (FTP and SSH). I've attempted to solve this in the past using
> hosts.deny, but it ended up causing too many unwanted positives and
> was somewhat difficult to unblock an IP. Would you mind sharing with
> me what you've found to be effective? It's obviously hard to
> impossible to block non-us IPs from connecting via ftp or ssh, as I
> couldn't find anything on this other than what turned into a two-way
> flame war.
>
> If any of you have suggestions, or links I can read, I'd appreciate
> it. If you think hosts.deny would be a good option, I can always
> re-visit it and take another look at the configuration options.
Assuming what I think would be the worst case scenario, which is...
1) You have to allow SSH and/or FTP access to outside individuals and
have little or no control over the passwords they choose (i.e. they can
reset them after you initially set them)
2) You can't control where the outside users are connecting from, and
you can't impose restrictions like a VPN (OpenVPN would be a good simple
solution here).
3) The users need unfettered access to system utilities and files.
...then you are in a really bad spot. I would personally treat this
system as always potentially compromised, and take steps to make sure
nothing confidential integral to your business is housed on or depends
on that system. Maybe even mount any data that you need from another
system through SSH or SMB if that allows for easier segregation
(otherwise it's just another possible breach vector for someone who gets
If you can control #1, things aren't that bad. Just institute a
password policy that requires all passwords be very good and have to be
set through you.
If you can control #2, see many of the other replies you've got, but
long story short, just allow specific addresses to even access FTP and SSH.
If #3 isn't a requirement, use the chroot ssh patch/dist
(http://chrootssh.sourceforge.net/) and a chrooting FTP server such as
vsftp. Usefully, they both chroot in the same manner (through an extra
"/."" in the $HOME defined in /etc/passwd). Chrooting SSH is a bit
harder than vsftp (it's a real chroot), but there's plenty of howto's
available online.
--
-Kevan Benson
-A-1 Networks
More information about the discuss
mailing list