SSH connections

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm looking at thwarting some ssh probes by changing the port number
and customizing the sshd_config file.  I'm curious if these probes have
an adverse affect on the performance of the server or are the
connection attempts inexpensive resource-wise?  Are there any ways to
measure the impact of these connection attempts?


Re: SSH connections

Fred wrote:
Quoted text here. Click to load it

So you want to have statictics on how much resources these connection
attemps use ? Without more information is quite impossible to give you
any kind of "good answer". But i'll give you few questions..

Basicly when someone probes your ssh, its takes cpu cycles off your
server and network bandwidth, few seeks to "user database" what ever
that maybe is depending on your configuration and writes few lines of
text into logging facility..

Basicly, the probes are very inexpensive resources wise since they
usually happen in serial (atleast the scanners i've seen never launch
parallel probes but ofcourse this is just matter of time to change)

If you want to measure the resources, you need to indentify those first.
 Just plain network traffic ? Cpu time ? Disk io and space usage caused
by probes ? Im quite sure everything can be measured..

Re: SSH connections

Fred wrote:

Quoted text here. Click to load it
In general you can regard ssh connection attempts are innexpensive, as long
as you're running as a daemon. In any Unix where you're running sshd under
a superserver, they get a bit more costly.

At a guess, you're OK. If you're authenticating against LDAP, and that
server is heavily loaded, or something, all bets are off, of course.

I'm speaking in general terms here--a standard standalone sshd on a
mainstream Linux install, where you can garner quite a bit of resistance to
casual attacks simply by disallowing root logins, and changing ports.

Be advised that the nature of the attacks changes constantly. A couple of
years ago I saw attacks limited to 3-4 standard Unixy accounts. Lately, I
see what looks like a more evolved version of the same attacks--same Unixy
accounts, but with the beginnings of a decent dictionary attack. I suspect
it's an evolved version of the same tool because I see roughly the same
distribution in attack sources. That's a very shaky assumption, but I've
not had a need to chase it further.

I'm now recommending to clients that cloud-facing ssh boxen use account
names of random alphanumeric chars. My rationale is that as dictionary
attacks become more sophisticated, pre-attack scanning for a changed port
will also become more common. Hitting just enough ports to identify Linux
(if even that much is done), then assuming the standard port becomes less
useful if it's a precursor to a more resource-intensive and noisier
dictionary attack.

In summary, I would expect dictionary attacks to get steadily better in
terms of account coverage, and to be preceded by more stealthy scans. I
don't expect the number of system compromises to increase in proportion.
SSH is fairly easy to secure.

Remaining on a standard port can also be quite useful, in terms of ease of
auditting systems, etc.

There are ways to instrument, and gather quite a bit of data. Exactly what's
available on your system will vary by distro, and you may need to code up a
a wrapper or something. I wouldn't worry about this too much in terms of a
DoS attack. There are far easier ways to do that.



Re: SSH connections

Greg Metcalfe wrote:
Quoted text here. Click to load it

While certainly safer.  I can guarantee that NONE of the attacks
deal well with an unpingable host.  So, just as you should move your
port number off the common 22, if you're not pingable, ... well it there's
just too much lower hanging fruit to sift through... why should I try
to scan you when my scans could take 10 times (or more) longer than
on most hosts... a hacker/bot doesn't want to spend that much time
on you.  Now.. if your IP is already on "the list", then you won't
avoid scan by avoiding ping... however, if you just have a few
services and you successfully move them to different ports, it's
likely you'll get off "the list" (if there is such a beast).

Now... if somebody is targeting you DIRECTLY, the idea you present
certainly has merit.

1. Move your SSH port to something weird (probably not to 10022).
2. Don't allow root at all.
3. Secure SSH to allow a specified set of usernames only and use
   weird usernames (random like you said).
4. Better, don't allow tunneled clear text passwords at all.

These are all probably good best practices regardless of whether
or not your host is coming under attack.

Re: SSH connections

Chris Cox wrote:

Quoted text here. Click to load it
I'm willing to believe that.
Quoted text here. Click to load it
I think that might have much to do with the size of a target subnet.
Quoted text here. Click to load it
IMHO, it's safest to always assume that you're being targeted directly. If
you can, anyway. That assumption often requires more action, and there may
not be enough hours in the day.

I predict precursor scans for basic combinatorial explosion reasons. It may
not always happen, but if I were to write an efficient attack, that's how
I'd do it.

Quoted text here. Click to load it
Generally good advice. If most users would do just these things, they'd be
very secure. As I mentioned earlier, there may be advantages to staying on
the standard port. It depends upon your situation. Other than that, I've no
real disagreement with you.

Re: SSH connections

Chris Cox wrote:

Quoted text here. Click to load it

Errmmm, can you elaborate on this?

I recently worked on securing all of our servers' SSH configuration
with all of the items you mentioned (except that I left them on port
22), but I've never even heard of these "tunneled clear text passwords",
so maybe I'm allowing them without even being aware of it?

How can I make sure that I'm not allowing them?



Re: SSH connections

Quoted text here. Click to load it

examine /etc/ssh/sshd.conf for that option
lg niko
icq:# 129022192
Was man mit Gewalt gewinnt, kann man nur mit Gewalt behalten (Mahatma

Re: SSH connections

Carlos Moreno wrote:
Quoted text here. Click to load it
He means letting users login by entering a password instead of
public/private key authentication.

Re: SSH connections

Quoted text here. Click to load it

Interesting part of these "evolving" scanners are that there seems to be
 this scanner that probes the sshd with certain accounts. As i have
multiple host up and running these scans happen pretty often but only
once ive seen a little bit of creativity in those scans.

The scanner had obviously identified the country where my host resides
and set the account dictionary accordingly and actually hit few correct
accounts with that scan of his/her.

99.9999% of the scans i get just use the same old same old account list.

Site Timeline