[swinog] are you also seeing more ssh attacks ?

Discussion:

Tobias Oetiker

2018-07-02 09:25:15 UTC

Good Morning

are you running an ssh daemon on non standard ports to avoid some of the drive-by-scanning ? we have been doing that for quite some time now with great reduction of scanning noise ... since yesterday this has changed ... we are getting a lot of connection attempts ...

are you seeing this too ? is someone actively looking for ssh across the whole port range or is this 'personal' ?

cheers
tobi

--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
www.oetiker.ch ***@oetiker.ch +41 62 775 9902

Jeroen Massar

2018-07-02 09:42:25 UTC

Permalink

I suggest running SSH always behind white-list only firewalls.

That, and otherwise use a VPN to get in to a fixed-IP so that one is in
the whitelist.

Providing an 'open over IPv6 only', or "SSH via Tor" is also a
reasonable technique there.

If you have to run a jumpbox style host: For SSH, it is also heavily
suggested to disable any form of password-auth, that way, only public
key authentication is accepted and guess what the scanner scripts do not
support as they do not have a key which thus makes guessing impossible...

for OpenSSH:
UsePAM no
PasswordAuthentication no
ChallengeResponseAuthentication no

Do have working pubkeys on the box first :)

Post by Tobias Oetiker
since yesterday this has changed
... we are getting a lot of connection attempts ...
are you seeing this too ? is someone actively looking for ssh across the
whole port range or is this 'personal' ?

There are more and more "Internet scanning" services, especially since
people realized the amount of data that Shodan shows, every company is
having their own scanning boxes.

Next to that of course, there are thousands of kiddies running the
default scripts just trying random username/passwords.

Whitelisting is the best trick in the toolchest.

Greets,
Jeroen

Manuel Schweizer

2018-07-02 10:25:13 UTC

Permalink

Hey Tobi

Not seeing what you are seeing, but I can really recommend Fail2Ban if you are not using it already.

It's as simple as:

*** snip 8< ***

# Install fail2ban
apt install fail2ban

# Set log level to VERBOSE in sshd daemon to catch failed logins for existing accounts as well
cat >> /etc/ssh/sshd_config <<EOF

LogLevel VERBOSE
EOF

systemctl restart sshd

*** >8 snap ***

Failed attempts will now be logged and source IPs will be banned after several failed attempts.

Cheers,
Manuel
--
Manuel Schweizer

cloudscale.ch AG
Venusstrasse 29
CH-8050 Zürich

Fon: +41 44 55 222 55
Fax: +41 44 55 222 56
Web: https://www.cloudscale.ch

Post by Jeroen Massar

I suggest running SSH always behind white-list only firewalls.
That, and otherwise use a VPN to get in to a fixed-IP so that one is in
the whitelist.
Providing an 'open over IPv6 only', or "SSH via Tor" is also a
reasonable technique there.
If you have to run a jumpbox style host: For SSH, it is also heavily
suggested to disable any form of password-auth, that way, only public
key authentication is accepted and guess what the scanner scripts do not
support as they do not have a key which thus makes guessing impossible...
UsePAM no
PasswordAuthentication no
ChallengeResponseAuthentication no
Do have working pubkeys on the box first :)

There are more and more "Internet scanning" services, especially since
people realized the amount of data that Shodan shows, every company is
having their own scanning boxes.
Next to that of course, there are thousands of kiddies running the
default scripts just trying random username/passwords.
Whitelisting is the best trick in the toolchest.
Greets,
Jeroen
_______________________________________________
swinog mailing list
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Jeroen Massar

2018-07-02 10:28:10 UTC

Permalink

Post by Manuel Schweizer
Hey Tobi
Not seeing what you are seeing, but I can really recommend Fail2Ban if you are not using it already.

[..]

Post by Manuel Schweizer
Failed attempts will now be logged and source IPs will be banned after several failed attempts.

Which is quite useless with the distributed scanners that exist have
existed for the last few years.

A single IP will only hit you a few times... typically below the
threshold of standard fail2ban or other alarm bells.
The distributed scanner will keep on trying by using another IP from
their vast botnet...

The big question: Why is that SSH port open to the world ? :)

Greets,
Jeroen

Manuel Schweizer

2018-07-02 10:38:06 UTC

Permalink

Hey Jeroen

Post by Jeroen Massar
A single IP will only hit you a few times... typically below the
threshold of standard fail2ban or other alarm bells.
The distributed scanner will keep on trying by using another IP from
their vast botnet...

Well, from experience I cannot confirm that at all. Apparently, there are still a lot of script kiddies out there or less sophisticated attacks going on. Fail2Ban sure helps with those.

If you want to use it in a more aggressive way you can also combine port knocking with fail2ban and ban source IPs the first time they "misbehave".

Post by Jeroen Massar
The big question: Why is that SSH port open to the world ? :)

Depends on the use case. I second your opinion when it comes to best-practices but I am also running a couple servers with SSH open to the world because I don't have, need or want an extra jump host at that location to access a single system for example. So there are reasons.

Cheers,
Manuel
--
Manuel Schweizer

cloudscale.ch AG
Venusstrasse 29
CH-8050 Zürich

Fon: +41 44 55 222 55
Fax: +41 44 55 222 56
Web: https://www.cloudscale.ch

Nico Schottelius

2018-07-02 10:49:53 UTC

Permalink

Good morning,

Post by Manuel Schweizer
Hey Tobi
Not seeing what you are seeing, but I can really recommend Fail2Ban if
you are not using it already.

while the idea of fail2ban is good, I would actually recommend sshguard
instead of fail2ban.
If you are not using a recent version of fail2ban, it does
not handle IPv6 at all and thus does not throttle IPv6 based attacks.

For that reason we switched to sshguard, a smaller and leaner dynamic
blocker that fully supports IPv6 and has a variety of backends,
including nftables.

Best,

Nico

--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.

Gert Doering

2018-07-02 17:37:39 UTC

Permalink

Hi,

Post by Manuel Schweizer
Not seeing what you are seeing, but I can really recommend Fail2Ban if you are not using it already.

Seconded. Even if we do not allow "plain password" authentication on
the Jumphost (it's using PIN + LinOTP tokens), if only to keep the noice
in the logs down and to annoy the brute-forcers a bit :-)

Gert Doering
-- NetMaster

--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Marek Isalski

2018-07-02 10:38:13 UTC

Permalink

Post by Jeroen Massar
If you have to run a jumpbox style host: For SSH, it is also heavily
suggested to disable any form of password-auth, that way, only public
key authentication is accepted and guess what the scanner scripts do not
support as they do not have a key which thus makes guessing impossible...

+1 for "jumphosts" as an alternative to VPNs.

I can highly recommend Teleport - https://gravitational.com/teleport/ - as a potential jumphost. It is an SSH CA with 2FA out of the box, and if you need it the enterprise (paid for) version will integrate with various authentication endpoints (SAML, etc). There are other features which are very suitable to out-of-band management (e.g. run Teleport as as node on a Raspberry Pi behind NAT on an OOB connection from a third party; it will connect out to your Teleport jumphost, allowing you to "get behind the NAT").

Disclosure: I gave a ~10 minute "lightning talk" at UKNOF about Teleport, but I am not getting paid by them ;)

Slides: http://faelix.link/uknof40
Video:

fail2ban on a jumphost is an excellent idea - lock your bastion down as much as you can.

Marek Isalski
Technical Director, Faelix Limited, https://faelix.net/

Stanislav Sinyagin

2018-07-04 11:34:58 UTC

Permalink

another way of protection is throttling down TCP SYN attempt rate per
IP address. At least it will save you some CPU, as the SSH daemon
won't have to process every request:

https://txlab.wordpress.com/2013/06/29/protecting-a-vpbx-from-dos-attacks/

Post by Tobias Oetiker
Good Morning
are you running an ssh daemon on non standard ports to avoid some of the
drive-by-scanning ? we have been doing that for quite some time now with
great reduction of scanning noise ... since yesterday this has changed ...
we are getting a lot of connection attempts ...
are you seeing this too ? is someone actively looking for ssh across the
whole port range or is this 'personal' ?
cheers
tobi
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
_______________________________________________
swinog mailing list
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

--
Stanislav Sinyagin
Senior Consultant, CCIE #5478
***@k-open.com
+41 79 407 0224