Ed Heron
2011-01-28 22:18:37 UTC
What is the deal with the SSH brute force attacks? I wasn't paying
attention until recently, but some of my new CentOS machines are giving
me reports of all the failed login attempts.
Most attackers (several dozen per day) try once every 15 to 20
minutes. I assume to avoid automatically being banned. Some were
throwing thousands of attempts at me from a single IP address. It might
have been happening on my old servers, but I'm afraid to look.
I didn't have any automatic banning software installed before, but I
do now.
However, it makes me think about SSH. It is a secure protocol but a
bad password could open my system up to exploitation. This isn't a SSH
fault but a lack of confidence in my users. And we don't even use SSH
from outside the private network that often (just me for maintenance).
We recently started using OpenVPN with certificates. I'm working on
adding a password so it takes both a certificate and a password to
connect a remote machine to the private network.
I'm thinking that OpenVPN makes external SSH obsolete. I could turn
it off forcing me to start a whole VPN in order to get access to the
internal interface.
Has everybody else already gotten to this conclusion or are there lots
of people still allowing remote SSH access?
I'm also thinking of setting up a honey pot on my external SSH port.
Are there any pre-configured honeypot distributions? Would a honeypot
that never lets anybody in because it doesn't have any valid login
combinations be good or should it let them in and let them waste their
time installing root kits then when they logout reset the machine.
Any thoughts?
attention until recently, but some of my new CentOS machines are giving
me reports of all the failed login attempts.
Most attackers (several dozen per day) try once every 15 to 20
minutes. I assume to avoid automatically being banned. Some were
throwing thousands of attempts at me from a single IP address. It might
have been happening on my old servers, but I'm afraid to look.
I didn't have any automatic banning software installed before, but I
do now.
However, it makes me think about SSH. It is a secure protocol but a
bad password could open my system up to exploitation. This isn't a SSH
fault but a lack of confidence in my users. And we don't even use SSH
from outside the private network that often (just me for maintenance).
We recently started using OpenVPN with certificates. I'm working on
adding a password so it takes both a certificate and a password to
connect a remote machine to the private network.
I'm thinking that OpenVPN makes external SSH obsolete. I could turn
it off forcing me to start a whole VPN in order to get access to the
internal interface.
Has everybody else already gotten to this conclusion or are there lots
of people still allowing remote SSH access?
I'm also thinking of setting up a honey pot on my external SSH port.
Are there any pre-configured honeypot distributions? Would a honeypot
that never lets anybody in because it doesn't have any valid login
combinations be good or should it let them in and let them waste their
time installing root kits then when they logout reset the machine.
Any thoughts?