Brute-force/Dictionary SSH Attacks-Computing Services ISO - Carnegie Mellon University

Protect Against Brute-force/Dictionary SSH Attacks

According to the SANS Institute Security Risks Report for 2007, brute-force/dictionary attacks against remote services such as SSH, are one of the Top-20 most common forms of attack on the Internet that compromise servers. In particular, Unix-based and Mac OS X servers that run an SSH service to allow administrators secure remote connections are at risk.  The ISO has seen an increased number of systems compromised via brute-Force/dictionary attack.  The attacks are continuous and facilitated through the process of improving dictionaries when lax countermeasures are in place. An excessive number of failed log-ins is a sign of brute-force/dictionary attack against your SSH server.  

To protect your SSH server from a brute-force/dictionary attack, please follow these seven protective measures:

  1. Disable root access - It is a good security practice to disable logins via SSH for the root account. Log in from your non-privileged user account and escalate privilege when and if necessary.  SUDO and SU are examples of tools/commands that allow privilege escalation.  These provide the added benefit of accountability (i.e. logging) in environments where root access must be shared.  
  1. Disable unused services - Disable SSH if it is not in use.  
  1. Filter traffic to your SSH server - Whenever possible, filter traffic to your SSH server (with a network or host based firewall) restricting access to only known IP addresses.  Restricting access to the campus VPN subnet or a range of IP addresses is a good start for filtering traffic. 
  1. Run the SSH server on a non-standard, high port - This will mitigate automated attacks scanning for SSH servers on the default port. 
  1. Install and maintain anti-brute-force tools - There are a number of filters and tools that administrators can use to block and protect against brute-force/dictionary attacks. A few are:
    • SSHD filters- Generate firewall rules to block an attack by reading the sshd logging output and generating iptables rules. SSHD filters download
    • Pam_abl - Provides a blacklisting of hosts and users responsible for repeated failed authentication attempts. Pam_abl download
    • SSHBan - Receives data directly from the loggers instead of scanning system logs. SSHBan download
  1. Enforce strong passwords - Using a strong password will enhance your defense against SSH brute-force/dictionary password attacks. Please refer to Computing Services Password Requirements and Guidelines for Password Management for more information on how to select and manage a strong password.
  1. Limit connection rates -  For example, limit the number of SYN packets - This practice will not affect the legitimate user, but will limit incoming attacks from rapid, repeated connection attempts.

________________________________________________________________________________________________________________________________________________________

References and Resources: