Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Security Tip of the day: Handling brute-force login attempts

Published: 2006-08-03
Last Updated: 2006-08-31 00:31:15 UTC
by William Stearns (Version: 2)
0 comment(s)
        Dustin wrote in to say that he had an ssh brute-force login program making over 4500 attempts over 2.5 hours today.  It appears none of them were successful.

        Brute-force login tools exist for just about any service that allows remote access.  How do you fight these?  Here are a number of approaches that can be used separately, or better yet, use all of them.  Make sure you have permission to do these.

- Make sure none of your user accounts have easy to guess passwords. Run a password cracker like crack or John the Ripper against your password collection to see if any are simple english words or easily guessed.

- Use a one-time password program or hardware password generator like those from Cryptocard or RSA.  Even if a password is viewed, it can't be re-used later.

- Disable remote root/Administrator logins on your systems.  It will still be possible to log in as a non-priviledged user and become the super-user, you just can't log in directly.

- Provide ssh key based logins to all your users, and when everyone's comfortable using them, disable password logins entirely.

- Run SSH on a different port.  SSH has no trouble doing this.  You need to tell the ssh server to run on a new port, tell any firewalls in front of those machines to allow connections to the new port, and tell any ssh client programs that need to connect to those machines to use the new port.

- Ban the IP addresses of tools that try to do brute-force logins.  A number of readers have written in with suggestions of tools to automatically ban scanners:  Chris: fail2ban, fail2ban howto, Ian: sshdfilter, Herb: denyhosts, Keith: Buford (no link at the moment).

- Submit your logs to Dshield so that attackers can be identified from their attacks on multiple systems.

- Limit logins to just the IP addresses of your known client machines.

Keywords: ToD
0 comment(s)
Diary Archives