Blocking a slow-burning SSH bruteforce

Adam Vande More amvandemore at gmail.com
Fri Jan 1 16:05:48 UTC 2010


On Fri, Jan 1, 2010 at 8:56 AM, David Rawling <djr at pdconsec.net> wrote:

> I tend to think there's not much I can do about this, but I'll ask anyway.
>
> I've implemented sshguard to block the normal bruteforce attacks - which
> seems to be working reasonably well.
>
> However now I have the following:
>
> Jan  1 17:42:52 timeserver sshd[1755]: error: PAM: authentication error for
> illegal user but from 190.146.246.36
> Jan  1 17:55:09 timeserver sshd[1788]: error: PAM: authentication error for
> illegal user byung from 212.243.41.9
> Jan  1 18:07:38 timeserver sshd[1809]: error: PAM: authentication error for
> illegal user cac from 148.233.140.193
> Jan  1 18:20:06 timeserver sshd[1832]: error: PAM: authentication error for
> illegal user cachou from 121.52.215.180
> Jan  1 18:32:21 timeserver sshd[1851]: error: PAM: authentication error for
> illegal user calla from 212.243.41.9
> Jan  1 18:44:35 timeserver sshd[1884]: error: PAM: authentication error for
> illegal user calube from 83.211.160.211
> Jan  1 19:09:12 timeserver sshd[1923]: error: PAM: authentication error for
> illegal user cancy from 194.51.12.238
> Jan  1 19:21:35 timeserver sshd[1946]: error: PAM: authentication error for
> illegal user candice from 82.106.226.77
> Jan  1 19:46:12 timeserver sshd[1997]: error: PAM: authentication error for
> illegal user candyw from 116.55.226.131
>
> Now this seems to me to be a dictionary attack on timeserver, and I'd guess
> that it's a botnet behind it. It's rather sophisticated since it's only
> attempting 1 user and password combination per source - so it's far too
> little to trigger the sshguard rules. Even if it did trigger, it wouldn't
> prevent the attacks.
>
> Apart from switching away from user authentication to private/public keys
> ... is there anything I can do to mitigate these attacks? Any advice
> welcome.
>
> Dave.
>

If your passwords are complex, those attacks could come for a million years
on localhost and not get anywhere let alone over a latent network.  Worrying
about that stuff with complex password is akin to devising a plan for
repelling a Godzilla attack.  Another point is these attacks typically try
common passwords, it's a distributed common password attack, not a brute
force.  If you are concerned about this for other reasons, eg you have local
users on the system and you don't enforce a password policy. there are
several utilities for dealing with this.  I'm not familar with sshguard, but
these types of attacks are blocked quite well with denyhosts, since the ip's
are recycled through eventually and you can configure the parameters for
blocking.  Denyhosts also has the ability to download to, and upload from a
shared blocklist.


-- 
Adam Vande More


More information about the freebsd-questions mailing list