Protecting against SSH dictionary attacks

From BitFolk
Jump to: navigation, search

This article describes some common ways of avoiding falling prey to SSH dictionary attacks — repeated login attempts over SSH.

SSH dictionary attacks

A common form of abusive activity seen on the Internet is the SSH dictionary attack. Some compromised hosts constantly scan for other Internet hosts with the SSH port (22) open, and when they find one they try a very large dictionary of possible user names and passwords. If access is obtained, the attacker will likely use the compromised host for further abuse such as more SSH scanning, denial of service attacks, and hosting of illegal content.

These scans are indiscriminate; they are not targeted personally at any one person, organisation or site, they're just scanning the whole Internet or large subnets.

If your VPS gets compromised

If your gets compromised then it's possible that it will remain compromised for some time before anyone discovers this. Should it engage in abusive activity such as performing SSH dictionary attacks itself then BitFolk may detect this. The usual course of action at this point is for your network access to be disabled and for you to be contacted.

You'll then need to convince yourself and BitFolk that root access has not been obtained. If root access has been obtained (or there is reasonable doubt) then BitFolk will insist that you re-install your VPS from scratch. BitFolk will be unable to provide hosting to customers who repeatedly allow their services to become compromised.

Protecting against dictionary attacks

It is absolutely vital that all VPS customers protect against SSH dictionary attacks. In no particular order, here are some methods for doing so. Many of them can be combined.

Disable password-based authentication

Use only SSH public keys to log in to your VPS.

Advantages Disadvantages
  • Completely prevents SSH dictionary attacks from working.
  • Have to have valid SSH keys on every device you will SSH from.

Firewall off or restrict access to port 22

Use a firewall and/or TCP Wrapper to restrict access to port 22 to only certain source addresses.

Advantages Disadvantages
  • Completely prevents SSH dictionary attacks from untrusted hosts.
  • Can only connect from hosts which are known in advance.

Restrict SSH login to only certain user names

Using the AllowUsers directive of the sshd configuration it is possible to restrict the login ability to only the stated user names.

Advantages Disadvantages
  • You only need to worry about the password strength for a small number of users.
  • Still need to worry about password strength.

Move sshd to a different port other than 22

Advantages Disadvantages
  • Avoids almost all dictionary attacks since they only focus on the default port.
  • Have to remember to change port in all client configurations.
  • May find some sites block unusual ports.

Use a log scraper to firewall abusive hosts

Log scrapers like Fail2Ban or denyhosts can be configured to spot abusive activity by remote hosts, and apply firewall rules against them.

Advantages Disadvantages
  • Will quickly lock out a host engaging in a dictionary attack.
  • Still possible for an attacker to get lucky and get in within the first few attempts.
  • May lock out legitimate users who get their password wrong too many times.

Use iptables (IPv4) and/or ip6tables (IPv6) to firewall abusive hosts

Firewalls can be configured to spot abusive activity by remote hosts, and apply rules or chains against them.

Some examples of firewall scripts used to thwart dictionary attacks.

Advantages Disadvantages
  • Again, will quickly lock out a host engaging in a dictionary attack.
  • Independent of tools, such as Fail2Ban or denyhosts.
  • IPv6 support. At the time of writing, Fail2Ban lacks IPv6 support.
  • Requires a moderate understanding of iptables and/or ip6tables.
  • Still possible for an attacker to get lucky and get in within the first few attempts.
  • May lock out legitimate users who get their password wrong too many times (this can be limited by the use of the source IP and MAC addresses).

Only use strong passwords

Advantages Disadvantages
  • Using a decent password will foil almost all dictionary attacks since they can only try a list of common passwords.
  • Users may pick poor passwords without your knowledge.
  • The size of password list that can be tried is increasing all the time.

Things to avoid doing

Tales of woe from previously-compromised customers.

  • "I set up a new user and gave him a user name of john, password of john, but he never changed his password despite me asking him to!"
  • "I put a weak password temporarily on my mysql user just while I did some work, but then I forgot to remove it!"