Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: holck on February 06, 2019, 10:07:11 AM

Title: Distributed ssh attack
Post by: holck on February 06, 2019, 10:07:11 AM

Yesterday I experienced a distributed ssh attack on a SME-server. The server survived, but the attack put a heavy load on it. The server was setup to allow remote ssh access from a non-standard port, and this was the vulnerability the attack tried to exploit.

The server runs fail2ban, and consequently banned lots and lots of ip-addresses. Each banning involves a "fail2ban-update"-event,  and the load from all these events was quite hard. Actually, banning involves 2 "fail2ban-update"-events for each IP-address: 1 for the ban and a little later 1 for the unban. And every event includes lots of calls to iptables: one call for each IP-address on the fail2ban-list.

So, e.g., if at present 1,000 IP-addresses are banned, a new "fail2ban-update"-event includes 1,001 calls to iptables.

From the logs I can count 3,390 remote IP-addresses used for the attack. Quite a large number, I think.

Moral of the story: don't count on fail2ban for handling distributed attacks :-)

Jesper, Denmark

Title: Re: Distributed ssh attack
Post by: Jean-Philippe Pialasse on February 06, 2019, 01:02:46 PM

On this denyhosts is a little more efficient. It only has to update his deny file to add the new ip. No event to trigger.

Title: Re: Distributed ssh attack
Post by: ReetP on February 06, 2019, 01:18:58 PM

I've had likewise on a number of boxes and still ongoing. Must be a zero day or something out there but not seen any press yet.

Denyhosts has been pretty good but am looking at a geoip blocking script to drop a lot.

I'll post back when I have it running properly - I'm stuck on one but currently.

Title: Re: Distributed ssh attack
Post by: ReetP on February 06, 2019, 05:52:03 PM

OK, I have done some work here.

https://wiki.contribs.org/SSH_Filtering_with_IPTables

The main bit is:

https://wiki.contribs.org/SSH_Filtering_with_IPTables#SSH_Filter_with_GeoIP_blocking

You MUST have GeoIP v2 databases installed and working.

I'd like to get the logging right, but have spent half the night and a day on this and I need :pint: and lots of it.

hosts.allow blocking is blunt but very effective, but I don't know how to sort the logging out on it.

sshfilter.sh is a bit more flexible. BUT you can't whitelist an IP, as yet. And errors from the script go to secure and not messages which I can't figure out.

Any suggestions appreciated.