From: "Wolfgang S. Rupprecht" <wolfgang.rupprecht+gnus200705@xxxxxxxxx>
Tom Rivers <tom@xxxxxxxxxxxxxxxxx> writes:
On Sat, 2007-05-26 at 13:16 -0700, Wolfgang S. Rupprecht wrote:
Such programs help you save the CPU time of sshd answering the
connection from a single abusive host, but would do little against a
distributed botnet attack. Luckily botnets aren't really used against
sshd yet, but it they were you'd potentially be seeing distributed
guessing attacks from 10,000 different hosts. If they all took turns
to guess a single password in round-robin fashion, the filters would
never trip.
You're right. What do you recommend to protect against this sort of
attack?
There are two things to defend against, 1) attackers actually guessing
a working password 2) the system resources wasted answering the
attacks.
For the first one is easily taken care of by having the computer pick
a random number as a password for you. Remembering and typing
gibberish passwords is hard, so it is best to have the computer's
machinery do the drudge work. This is what ssh's RSA (and DSA)
mechanism does. It chooses a 1kbit long password for you and
effectively stores it for you so you never have to type it. It then
encrypts that 1kbit password with a "human" password you chose. This
password can be a really *bad* password (pets name, mother's maiden
name etc.) without any ill effects. The human-password is never used
by ssh for anything but decoding it's 1k-bit password on the local
machine when ssh starts up. The 1k-bit password is the one ssh uses
"on the wire". The fact that the attacker now has to guess the 1kbit
password is what makes the whole thing so safe. Doing an exhaustive
search on that takes many, many times the life of the universe.
(I didn't want to post this link in the last message, I've posted it
twice already and was afraid someone would think I was spamming the
same link repeatedly. SSH RSA setup:
http://www.wsrcc.com/wolfgang/sshd-config.html )
As for the defense against the DDOS resource exhaustion of a
theoretical botnet sshd attack. I'm not sure you can do much but try
to change your IP address. Ultimately legislation will probably be
needed to fine the fools running virus-riddled computers that are
supplying the computer workforce for the botnets.
I am sure there will be representatives of ISPs that will squeal like
stuck pigs when I suggest that the ISPs should be sued for leaving the
virus laden machine on the network after a documented complaint. Or
even better the ISP's upstream should cut off the offending ISP if the
spewing machine is not off the net within an hour of first detection.
{^_^} (Has also toyed with the idea of an ssh block list similar to
the block lists for spam. I've not copyrighted it or patented
it so take the idea and run if you wish. Just don't try patenting
it.)
