Protecting sshd - Was: SSHguard & IPFW

Christopher Sean Hilton chris at vindaloo.com
Thu Oct 1 16:57:48 UTC 2015 

On Thu, Oct 01, 2015 at 06:32:50PM +1000, Ian Smith wrote:

[ snip... ]

> Well I'm not as concerned about sshd vulnerabilities as I am about lots 
> of superfluous logging from (usually) oft-repeated drive-by attempts on 
> port 22, often across all 6 IPs of a /29.  And yes, I prefer using port 
> 22, despite the relief that using alternative ports does offer, mainly 
> to keep things simple for users.  This way, all other hosts attempting 
> connections to port 22 simply vanish.
> 

The way I see it, reducing the flood of log entries is where SSHguard
would shine but it can't really add a meaningful measure to your
overall security.

The crux of the issue is ssh with password auth. You are either
allowing passwords or you aren't. If you aren't allowing passwords
then the brute force industry chances of successfully compromising
your servers are very very low and you are relatively safe. If you
allow passwords, you're open to their attack and if you have any weak
passwords, it's a matter of time.

If you don't allow passwords then your only threat is a brute force
attack using weakly generated keys. There have been a number of
defects and outright attacks on public/private keys over the
years. Most of them have centered on pseudo random number
generation. Break the random number generator or nail down it's
initial state and you limit the number of key-pairs. It is possible to
do this to the point where you can make a dictionary of weak keys. For
a given state that dictionary could be complete. Right now though I
have seen no evidence that the ssh brute force cloud is testing keys
in this manner. I am in fact surprised that the brute force cloud
doesn't enumerate ssh servers that don't accept passwords and leave
them alone. It seems a waste of effort to me to test passwords against
a server that says 'no' to every password. They could continue testing
out of hope that you have a Match clause in sshd_config that allows a
subset of users to login via password or because they have a
dictionary of compromised ssh keys. Maybe they just like annoying the
crap out of sysadmins by filling up their logs.

If you are allowing passwords, and I understand that some places
"must" for various reasons, then the brute force industry may or may
not have a valid username/password pair for your server in their
dictionary. If they do, SSHguard will not stop them from finding
it. It will probably delay them from finding it and it may delay them
for months or years but it is only a delay. SSHguard triggers against
invalid credentials detection in your log files. By definition, valid
credentials don't generate the log entry that SSHguard needs to take
action. The action that SSHguard takes it so block access to the
offending IP address of a server that tries bad credentials too
often. It would be naive to think that brute force mechanism can't
detect when it's black-holed and try a different host.

If you can't mitigate your risk by requiring keys you should require
high complexity passwords and periodically use a password audit tool
against your credentials database to insure that those rules are being
followed.

No matter what you do, you should employ defense in depth. By
extending the amount of time it takes to crack your defenses SSHguard
can be a part of that. It can also put your firewall back into your
overall defense strategy. But at the end of the day, if you're using
SSHguard as your single line of defense, you are really just hoping
that a group of people who have shown amazing patience are just going
to give up on attacking your defenses and move on to your neighbors
because your castle is taking too long to get into. 

There's lots of good resources on this subject. Michael Lucas' book:
"SSH Mastery" is a short read and has great advice on hardening your
ssh server while allowing you to continue functioning in a more secure
environment. Peter Hansteen has written and talked extensively about
the brute force cloud in his blog. An early article in the series is
here:

     http://bsdly.blogspot.ca/2008/12/low-intensity-distributed-bruteforce.html

I really think that consulting one or both of these sources can go a
long way towards taking informed action on this problem.


-- 
Chris

      __o          "All I was trying to do was get home from work."
    _`\<,_           -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 867 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20151001/98cc30f4/attachment.bin>

More information about the freebsd-questions mailing list