Distributed ssh attack

holck

317
+1/-0

Distributed ssh attack

« on: February 06, 2019, 10:07:11 AM »

Yesterday I experienced a distributed ssh attack on a SME-server. The server survived, but the attack put a heavy load on it. The server was setup to allow remote ssh access from a non-standard port, and this was the vulnerability the attack tried to exploit.

The server runs fail2ban, and consequently banned lots and lots of ip-addresses. Each banning involves a "fail2ban-update"-event, and the load from all these events was quite hard. Actually, banning involves 2 "fail2ban-update"-events for each IP-address: 1 for the ban and a little later 1 for the unban. And every event includes lots of calls to iptables: one call for each IP-address on the fail2ban-list.

So, e.g., if at present 1,000 IP-addresses are banned, a new "fail2ban-update"-event includes 1,001 calls to iptables.

From the logs I can count 3,390 remote IP-addresses used for the attack. Quite a large number, I think.

Moral of the story: don't count on fail2ban for handling distributed attacks

Jesper, Denmark

Logged

......

Jean-Philippe Pialasse

2,761
+11/-0
aka Unnilennium

Re: Distributed ssh attack

« Reply #1 on: February 06, 2019, 01:02:46 PM »

On this denyhosts is a little more efficient. It only has to update his deny file to add the new ip. No event to trigger.

Logged

ReetP

3,731
+5/-0

Re: Distributed ssh attack

« Reply #2 on: February 06, 2019, 01:18:58 PM »

I've had likewise on a number of boxes and still ongoing. Must be a zero day or something out there but not seen any press yet.

Denyhosts has been pretty good but am looking at a geoip blocking script to drop a lot.

I'll post back when I have it running properly - I'm stuck on one but currently.

Logged

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

ReetP

3,731
+5/-0

Re: Distributed ssh attack

« Reply #3 on: February 06, 2019, 05:52:03 PM »

OK, I have done some work here.

https://wiki.contribs.org/SSH_Filtering_with_IPTables

The main bit is:

https://wiki.contribs.org/SSH_Filtering_with_IPTables#SSH_Filter_with_GeoIP_blocking

You MUST have GeoIP v2 databases installed and working.

I'd like to get the logging right, but have spent half the night and a day on this and I need

and lots of it.

hosts.allow blocking is blunt but very effective, but I don't know how to sort the logging out on it.

sshfilter.sh is a bit more flexible. BUT you can't whitelist an IP, as yet. And errors from the script go to secure and not messages which I can't figure out.

Any suggestions appreciated.

Logged

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation