How to protect against SSH dictionary attacks

post Category: Internet, Security — Chris @ 1:48 pm — post
postFebruary 2, 2007

The question is often ponderered - how does a good systems administrator protect against dictionary attacks on an openSSH server? You will hear many, all fully relevant, opinions opining complete lock-down at firewall level of port 22, holes punched for known good-hosts, and the use of application programs such as DenyHosts and Cracklib.

All these options are excellent ideas, however, has the option of using your firewall’s strategic capabilities been considered? Let’s take a look.

Within iptables you can essentially add IP addresses to a list, which are then checked against by all future matched incoming connections. This allows a sysadmin to limit the number of connections against either a number of seconds, or connection attempts.

The following two rules will limit incoming connections to port 22 to no more than 5 attemps in a minute - any more than that will be dropped:

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW \
-m recent –set
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW \
-m recent –update –seconds 60 –hitcount 5 -j DROP

This rule firstly records all new incoming connections, the second rule is where the clever stuff is done..
Ultimately, these rules means that:

  • The IP address which initiated the connection has previously been added to the list and
  • The IP address has sent a logged packet in the past 60 seconds and
  • The IP address has sent >=5 packets in total.

 
With this rule implemented you can protect yourself safely, efficiently and securely against dictionary attacks.

« Integrating MailScanner with Outlook’s winmail.dat
Six steps to conducting a stree-free day at work! »

Horaayy..there are 2 comment(s) for me so far ;)

#1

This rule may be of interest as well:

iptables -A INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -m state –state NEW -m limit –limit 5/s -j ACCEPT

Chris wrote on February 6, 2007 - 11:14 am
#2

For is fine for (recent) Linux based systems, but for some level of protection on other UNIX systems, OpenSSH does have (limited) rate-limiting capabilities by default:

MaxAuthTriesSpecifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.
MaxStartupsSpecifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the three colon separated values “start:rate:full” (e.g. “10:30:60″). sshd(8) will refuse connection attempts with a probability of “rate/100” (30%) if there are currently “start” (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches “full” (60).

Stuart wrote on February 6, 2007 - 4:57 pm
You can leave a response, or trackback from your own site.

Write Your Comment

Comment Guidelines: Basic XHTML is allowed (a href, strong, em, code). All line breaks and paragraphs will be generated automatically.

You should have a name, right? 
Your email address, I promised I won't tell it to anyone. 
If you have a web site or blog, you can type the URL right here. 
This is where you type your comments. 
Remember my information for the next time I visit.
 

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 4 chars within 0..9 and A..F, and submit the form.

  

Oh no, I cannot read this. Please, generate a