Protecting against SSH dictionary attacks

From BitFolk
Revision as of 16:13, 10 May 2012 by Strugglers (talk | contribs) (Created page with "This article describes some common ways of avoiding falling prey to SSH dictionary attacks — repeated login attempts over SSH. ==SSH dictionary attacks== A common form of ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This article describes some common ways of avoiding falling prey to SSH dictionary attacks — repeated login attempts over SSH.

SSH dictionary attacks

A common form of abusive activity seen on the Internet is the SSH dictionary attack. Some compromised hosts constantly scan for other Internet hosts with the SSH port (22) open, and when they find one they try a very large dictionary of possible user names and passwords. If access is obtained, the attacker will likely use the compromised host for further abuse such as more SSH scanning, denial of service attacks, and hosting of illegal content.

These scans are indiscriminate; they are not targeted personally at any one person, organisation or site, they're just scanning the whole Internet or large subnets.

If your VPS gets compromised

If your gets compromised then it's possible that it will remain compromised for some time before anyone discovers this. Should it engage in abusive activity such as performing SSH dictionary attacks itself then BitFolk may detect this. The usual course of action at this point is for your network access to be disabled and for you to be contacted.

You'll then need to convince yourself and BitFolk that root access has not been obtained. If root access has been obtained (or there is reasonable doubt) then BitFolk will insist that you re-install your VPS from scratch. BitFolk will be unable to provide hosting to customers who repeatedly allow their services to become compromised.

Protecting against dictionary attacks

It is absolutely vital that all VPS customers protect against SSH dictionary attacks. In no particular order, here are some methods for doing so. Many of them can be combined.

Disable password-based authentication

Use only SSH public keys to log in to your VPS.

Advantages Disadvantages
  • Completely prevents SSH dictionary attacks from working.
  • Have to have valid SSH keys on every device you will SSH from.

Move sshd to a different port other than 22

Advantages Disadvantages
  • Avoids almost all dictionary attacks since they only focus on the default port.
  • Have to remember to change port in all client configurations.
  • May find some sites block unusual ports.

Use a log scraper to firewall abusive hosts

Log scrapers like Fail2Ban or denyhosts can be configured to spot abusve activity by remote hosts, and apply firewall rules against them.

Advantages Disadvantages
  • Will quickly lock out a host engaging in a dictionary attack.
  • Still possible for an attacker to get lucky and get in within the first few attempts.
  • May lock out legitimate users who get their password wrong too many times.

Only use strong passwords

Advantages Disadvantages
  • Using a decent password will foil almost all dictionary attacks since they can only try a list of common passwords.
  • Users may pick poor passwords without your knowledge.
  • The size of password list that can be tried is increasing all the time.

Things to avoid doing

Tales of woe from previously-compromised customers.

  • "I set up a new user and gave him a user name of john, password of john, but he never changed his password despite me asking him to!"
  • "I put a weak password temporarily on my mysql user just while I did some work, but then I forgot to remove it!"
Retrieved from "https://tools.bitfolk.com/w/index.php?title=Protecting_against_SSH_dictionary_attacks&oldid=448"