SSH Password Guessing Attacks

Posted on in System Administration

telescope

I manage servers and network devices that, for a variety of reasons, allow users to connect via SSH from anywhere in the world. Although the traffic generated by these connections is encrypted, leaving this open to the world does present a bit of a security risk. Would-be crackers use compromised systems or open proxies to attack SSH servers in the hopes of finding usable username / password combinations. If all your users use strong passwords, you can feel reasonably secure knowing that the chances of one of these dictionary-based password attacks succeeding is low.

Unfortunately, this knowledge is no longer enough to counter my annoyance in seeing all these SSH connection attempts in my logs. The responsible thing to do is report the incident to the individuals responsible for the IP addresses that attacked your system. As you're likely aware, this has little chance of success. These requests are usually ignored.

I decided that the best way to slow down the attacks and make myself feel better at the same time was to start null routing the offending IPs. The idea here is to not route the source IP addresses of the attackers. This has the effect of shutting down the attack as my servers will never respond.

On my Linux servers, I did this with

# route add -host 88.103.118.94 reject

And on my Cisco's

(config)# ip route 88.103.118.94 255.255.255.255 Null0

Obviously this host-by-host approach is not a long-term solution for dealing with this issue, but it feels nice to stop one bad system.

I'm sure someone out there is maintaining a black-hole list for these bad IPs. I'm familiar with the DNS-based lists that are available, but I'm not certain how useful that would be in this situation. Is anyone familiar with such a service?

Update: I've started a comprehensive black hole list. Check it out and recommend anything not already there.

Slaptijack's Koding Kraken