Protect Against Brute-force/Dictionary SSH Attacks
According to the SANS Institute Security Risks Report for 2007, brute-force/dictionary attacks against remote services such as SSH, are one of the Top-20 most common forms of attack on the Internet that compromise servers. In particular, Unix-based and Mac OS X servers that run an SSH service to allow administrators secure remote connections are at risk. The ISO has seen an increased number of systems compromised via brute-Force/dictionary attack. The attacks are continuous and facilitated through the process of improving dictionaries when lax countermeasures are in place. An excessive number of failed log-ins is a sign of brute-force/dictionary attack against your SSH server.
To protect your SSH server from a brute-force/dictionary attack, please follow these seven protective measures:
- Disable root access - It is a good security practice to disable logins via SSH for the root account. Log in from your non-privileged user account and escalate privilege when and if necessary. SUDO and SU are examples of tools/commands that allow privilege escalation. These provide the added benefit of accountability (i.e. logging) in environments where root access must be shared.
- Disable unused services - Disable SSH if it is not in use.
- Filter traffic to your SSH server - Whenever possible, filter traffic to your SSH server (with a network or host based firewall) restricting access to only known IP addresses. Restricting access to the campus VPN subnet or a range of IP addresses is a good start for filtering traffic.
- Run the SSH server on a non-standard, high port - This will mitigate automated attacks scanning for SSH servers on the default port.
- Install and maintain anti-brute-force tools - There are a number of filters and tools that administrators can use to block and protect against brute-force/dictionary attacks. A few are:
- SSHD filters- Generate firewall rules to block an attack by reading the sshd logging output and generating iptables rules. SSHD filters download
- Pam_abl - Provides a blacklisting of hosts and users responsible for repeated failed authentication attempts. Pam_abl download
- SSHBan - Receives data directly from the loggers instead of scanning system logs. SSHBan download
- Enforce strong passwords - Using a strong password will enhance your defense against SSH brute-force/dictionary password attacks. Please refer to Managing Your Andrew Account Password and Guidelines for Password Management for more information on how to select and manage a strong password.
- Limit connection rates - For example, limit the number of SYN packets - This practice will not affect the legitimate user, but will limit incoming attacks from rapid, repeated connection attempts.
References and Resources: