Message Board

Newbie/Basic Questions

Older Posts ]   [ Newer Posts ]
 Honeypot for ssh dictionary attacks?
Author: T.Wennekers   (8 May 08 1:56pm)
Hi

Does anybody know of honeypot(-like) tools that protect against dictionary attacks targeting the secure shell port?

Background of the question is that since quite recently these attempts seem to be distributed. Earlier they came from a single internet site at quite high frequency, easy to detect and block by a simple tcp-wrapper script. Now they use multiple sites at once at lower frequencies, which is more difficult to distinguish from real traffic. However, they now seem to attack the root-account only, instead of randomly searching for insecure user accounts.

Because the attacks come from a quite high number of sites in brief time it could be especially useful to have a honeypot like system as this reveals information about the bot-structure behind the attack.

Best wishes
Thomas
 
 Re: Honeypot for ssh dictionary attacks?
Author: P.Hauser   (9 May 08 6:13am)
Hi,

no matter, what port, one should distinguish between the key concepts of low and high interaction honeypots.

An example for a low interaction ssh honeypot would be the Kojoney (Koret SSH Honeypot) written in Python at http://sourceforge.net/projects/kojoney/ .

High interaction honeypots require a lot more implementation effort.

You might check the article "Analyzing Malicious SSH Login Attempts" at http://www.securityfocus.com/infocus/1876 and the "New Zealand Honeynet Alliance" at http://www.nz-honeynet.org/ or read David Watson's paper on

"Global Distributed Honeynets (GDH)"

at http://www.nz-honeynet.org/speaking/PacSec07_David_Watson_Global_Distributed_Honeynet.pdf

Last not least just google for 'ssh honeypot' ...

Hth
 
 Re: Honeypot for ssh dictionary attacks?
Author: T.Wennekers   (9 May 08 2:40pm)

Hi Hth

Thanks for the quick and useful response. I do have low-communication measures in action. What I was thinking about was indeed something more coordinated - after all a non-communicating local protection measure represents just passive defense. More coordinated attempts could be considerably more efficient. GDH on the other hand looks too big/ambitious for the normal user; as far as I got it from the Watson-presentation it needs a dedicated server and/or several? static IP addresses - that's not what most of us have by default available. One of the good things with Project Honeypot is that practically everybody can use, contribute and benefit from it. We all hate spam, worms, break-in attacks, etc., so, I guess many would like to contribute. Something similar like Project Honeypot against ssh attacks would therefore be nice to have, After all every cracked computer is a potential remailer. Perhaps the PHPot techniques can even be adapted to ssh attacks? Whatever, I am not a computer security expert.

Once again, thanks for the links and infos.

Best wishes
Thomas
 
 Re: Honeypot for ssh dictionary attacks?
Author: P.Hauser   (9 May 08 4:51pm)
Hi Thomas,

you wote:

> Something similar like Project Honeypot against ssh attacks would therefore be nice to have,

Project Honeypot to speak in technical terms is a low interaction honeypot reduced to Port 80 of a webserver.

If you think about not only monitoring ssh attacks on port 22, but blocking such attempts, you would use usually a firewall such as iptables if you have shell access on your server.

A good introduction to this would be:

http://www.faqs.org/faqs/computer-security/ssh-faq/
http://en.wikipedia.org/wiki/Netfilter/iptables

A good tool that automatically adds rules to iptables is "fail2ban" at http://www.fail2ban.org/

The problem and solutions are described in many blogs and articles across the web like:

http://www.fduran.com/blog/defending-against-ssh-brute-force-attacks/
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

You would again have to follow the links in the publications or google.

BTW: I'm P.Hauser and 'Hth' is a three letter acronym for "Hope That Helps" from the nntp-news netiquette, just as BTW is a three letter acronym for "By The Way".

-Anyway, hope that helps you out to start with and have a good time over here. ;-)
 
 Re: Honeypot for ssh dictionary attacks?
Author: T.Wennekers   (10 May 08 9:38am)
Thanks again, Peter.

I am blocking ssh attacks since a couple of years and are aware of the general possibilities to do so, although over the last couple of days I found out that there have been quite a few recent developments, some of them mentioned in your message. (I would perhaps add pam_abl as a way different from the already mentioned ones).

My original motivation to start this thread, however, was to find out whether there exists some concerted attempt to address the ssh-attacks, similar to project honey pot for WWW, or blacklists (like spamcop) for smtp. Given simple configurations in the ssh protection systems you refer to in your message an attacker is typically blocked after >~3 failed attempts for a day. They can still do 1000 attempts per year per server. Given a bot-net the number multiplies. They can also do one attempt every 10 minutes or so and would probably not even be detected by many setups resulting in an even higher number of attempts possible. I just thought somebody could have set up something like "blacklists for ssh"? Beside its apparent usefulness for blacklisting, such a centralised data-base system might further have the potential to provide insight into the underlying bot-nets doing the attacks, thereby perhaps allowing to fight them better?

May that as it be, as you rightly pointed out project honeypot targets on the WWW port. Therefore the above is a bit off topic.

Best wishes
Thomas
 
 Re: Honeypot for ssh dictionary attacks?
Author: M.Nordhoff   (10 May 08 11:41pm)
DenyHosts is similar to fail2ban (only ssh-specific), and it automatically uses a blocklist, and updates it with hosts blocked by your machine too.

http://denyhosts.sourceforge.net/



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–25, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email