[j-nsp] SSH_Brute_Force events

Tim Hogard thogard at abnormal.com
Thu Apr 5 19:08:50 EDT 2012 

> 
> On Thu, Apr 5, 2012 at 3:09 PM, Harri Makela <harri_makela at yahoo.com> wrote:
> > Hi Guys
> >
> > We are getting "SSH_Brute_Force" alerts quite often from our Intrusion prevention systems (IPS) - ISS GX.
> >
...
> >
> > change SSH port  system wide from 22 to 10022 ?
I'm guessing your inside hosts are getting hit and not your router/firewall.

This works well if ssh is needed world wide.  I have been doing it for years and so far it has never
caused a propblem that couldn't be fixed by reading a manual and adding a command line option.

> > Report the ISP to contact with the customer which is really not a practical solution ?
> >
> > Any advice will be highly appreciated. I myself new to this and trying to document the process.
> 
> This is a very common occurrence on the open internet. Usually, these
> remote hosts test out some common account names and passwords, looking
> for weakly-protected accounts.

These are distributed bruteforce attacks.  A host will pick a common user id
like "bob" and a common password like "letmein" and then scan the world trying
those two and recoding which ones work.

There are others thse use ssh keys on existing hacked systems to work
their way into any other systems.     Too bad openssh doesn't allow
keys and passwords at the same time but encrypted keys tends to stop
this attack.

Another thing is if ssh keys are used by automated systems, you
don't have to give them a shell that lets them run everything, but you
can have a shell that only runs the one command that is needed.

> Switching SSH ports to a non-standard port will stop the casual
> scanner, but doesn't really do anything to mitigate the risk.
It does mitigate risk buy a calculatable factors.
i.e.  going from port 22 to 10022 means the attacker needs to scan first
and that makes that job 10^4 times harder.  Knowing they are after you
and not just targets on the net gives you info that makes the defense about
twice as good.  So now your system is 2,000 times better by moving the port.
You still need to sure your IDS knows your running ssh on the new port or
else you can increase the risk because you don't get warned.

The rules about security through obscurity is that it should never be
counted on but it is useful as another layer on your security onion.

-tim
http://web.abnormal.com

More information about the juniper-nsp mailing list