For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing. |
Bojan 396 Posts ISC Handler Jul 9th 2009 |
Thread locked Subscribe |
Jul 9th 2009 1 decade ago |
Although this all seems to have been another in a series of hoaxes for SSH, there are steps that you can take to prevent brute force type attacks on SSH Servers. After testing a few, I found that DenyHosts to be one of the most effective ways of preventing this.
If this is of interest to you, check out the DenyHosts website at: http://denyhosts.sourceforge.net/ Ollie |
Anonymous |
Quote |
Jul 9th 2009 1 decade ago |
I use DenyHosts as well. It works very well for my application.
|
Joel 454 Posts |
Quote |
Jul 9th 2009 1 decade ago |
Use a port-knocking system, its the big aspirin for such a headache :)
|
Anonymous |
Quote |
Jul 9th 2009 1 decade ago |
Just a suggestion, but I normally don't have a good reason why I can't lock down SSH on the hardware firewall level to come only from authorized IP addresses.
Another idea is to lockdown all your webserver SSH to only come from workstation "A", which is on a totally different network and ISP. Put Denyhosts on "A" and run no webservices on it, use it at a SSH relay station. It would certainly keep someone from doing a bruteforce SSH to www.yourhost.com |
Jason 9 Posts |
Quote |
Jul 9th 2009 1 decade ago |
It does sound like OpenSSH has a vulnerability here:
"... this was even enough for some web hosting companies to *shut down* their SSH service ..." Someone perpetrated a successful DDoS attack against OpenSSH servers. Of course, the vulnerability was in the operators, not the software. The technique used was social engineering. It's hard to patch OpenSSH against that. |
Jason 6 Posts |
Quote |
Jul 9th 2009 1 decade ago |
I suggest using OSSEC, with hosts.deny or iptables active response. SSH is just one possible service that a brute force attack can be attempted against.
Other examples [for some systems] are FTP, POP3, Telnet, or someone with a login repeatedly attempting to 'SU' with various passwords. |
Mysid 146 Posts |
Quote |
Jul 10th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!