Topic: Dictionary Attacks on SSH

[mikey]

So how do you handle dictionary attacks?

Until recently, I used automatic scripts to ban sources. Scripts are too slow. So why can't we just build a simple rule set for the firewall?...perhaps like this;

Code: [Select]

iptables -N SSH_BAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_BAN
iptables -A SSH_BAN -m recent --set --name SSH
iptables -A SSH_BAN -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

iptables-save > /etc/sysconfig/iptables

/sbin/service iptables save


The result;

Code: [Select]

[root@bench ~]# iptables -L -v
Chain INPUT (policy ACCEPT 374M packets, 106G bytes)
 pkts bytes target     prot opt in     out     source               destination
 176K   10M SSH_BAN    tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh state NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 274M packets, 395G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain SSH_BAN (1 references)
 pkts bytes target     prot opt in     out     source               destination
 176K   10M            all  --  any    any     anywhere             anywhere            recent: SET name: SSH side: source
 164K 9812K DROP       all  --  any    any     anywhere             anywhere            recent: UPDATE seconds: 60 hit_count:
 4 name: SSH side: source
[root@bench ~]#
Works for me.

[Samker]

Nice work Mike.

Few additional details about "Dictionary attacks" for SCF members from Wikipedia:

In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.

...

Source: http://en.wikipedia.org/wiki/Dictionary_attack



... and one, just for "figure out", YT video:

http://www.youtube.com/watch?v=xR8J_jNw2io