Search

Recent Posts

Tags


« | Main | »

Blocking ssh server attacks (11/2011)

By Dale Reagan | November 7, 2011

During the past few days (early November, 2011) I have been seeing a rash of ssh connection attempts.  I did a quick check and I note that others are posting about similar attacks.  The current attack ‘pattern’ is fairly simple:

So, what can/should you do to deal with such system level attempts?**

  1. best – implement firewall level restrictions for sensitive access (i.e. only allow access from a small number of specific, known, GOOD IP addresses)
  2. implement firewall level restrictions based on updated GeoIP IP space attributes (i.e. only allow connections from a limited set of known, GOOD GeoIP locations/regions – for a server hosted in the US only allow ssh connections from specific Cities; this can be done via x-tables-addons or perhaps ipset.)
  3. implement an after-the-fact log review solution (like denyhosts or fail-to-ban) that periodically reviews server logs for non-friendly activity and then implements new firewall or other access restrictions.)
  4. in general, one solution is not adequate – you will still have malicious attempts from allowed IP space so something like denyhosts, fail-to-ban, email greylisting, mod_security or other solutions need to be part of the mix.
  5. Get your ISP to limit connections based on GeoIP data – if that makes sense for your business/server (i.e. your customers are Geo-isolated in a specific region/country/state/city/etc.)  AND, if your ISP was willing (probably not very likely at this point – but you won’t know unless you ask…)

Top 20 Ssh Abusers – Countries based on GeoIP data

  1. CN:  247 |    41 (connection attempts | Unique IP addresses)
  2. US:   79 |    18
  3. IT:   50 |    11
  4. BR:   39 |    10
  5. MY:   38 |     5
  6. KR:   38 |     7
  7. TW:   21 |    10
  8. BG:   19 |     2
  9. IN:   16 |     3
 10. DE:   16 |     4
 11. PL:   14 |     3
 12. IE:   14 |     1
 13. TR:   12 |     2
 14. ID:   11 |     2
 15. CZ:   10 |     2
 16. CO:   10 |     2
 17. FR:    9 |     4
 18. RU:    8 |     3
 19. CA:    8 |     3
 20. JP:    7 |     2

SSH Connection Attempts 11/7/2011 (partial list with time/GeoIP information)

Over 700 connections attempts from ~160 unique IP addresses were recorded on the day of this post.

 1. 00:00:55 DE, 01, Stuttgart
 2. 00:01:20 KR, 11, Seoul
 3. 00:01:50 CN, 23, Shanghai
 4. 00:03:23 AR, 07, Buenos Aires
 5. 00:03:49 IL, 06, Jerusalem
 6. 00:05:31 MY, 14, Kuala Lumpur
 7. 00:06:31 CN, 07, Fuzhou
 8. 00:07:19 CN, 23, Shanghai
 9. 00:08:48 US, TX, Houston, 77002
10. 00:09:42 BR, 15, Belo Horizonte
11. 00:10:35 IT, 05, Imola
12. 00:11:21 CN, 01, Hefei
13. 00:12:03 MY, 14, Kuala Lumpur
14. 00:12:15 US, MI, Holly, 48442
15. 00:12:49 BG,   
16. 00:13:59 AM,   
17. 00:14:46 IT, 09, Legnano
18. 00:15:01 IT,   
19. 00:15:28 BG,   
20. 00:16:12 CN, 22, Beijing
21. 00:17:16 US, CA, Union City
22. 00:17:24 CN, 22, Beijing
23. 00:18:08 CN, 04, Suzhou
24. 00:19:04 MY, 14, Kuala Lumpur
25. 00:19:41 CN, 09, Zhengzhou
26. 00:19:42 CN, 02, Hangzhou
27. 00:20:18 ES, 51, Cadiz
28. 00:22:18 IN, 28, Kharagpur
29. 00:23:04 JP,   
30. 00:23:47 IN, 25, Madras
31. 00:24:51 BR,   
32. 00:25:17 IT,   
33. 00:26:16 KR, 11, Seocho
34. 00:26:49 PL, 80, Jedlicze
35. 00:27:44 ID, 30, Tangerang
36. 00:29:24 DE, 01, Stuttgart
37. 00:29:56 CN, 22, Beijing
38. 00:30:13 CN, 10, Langfang
39. 00:30:50 CN, 24, Taiy�an
40. 00:31:23 KR, 11, Seocho
41. 00:31:40 CN, 22, Beijing
42. 00:32:23 CN, 32, Chengdu
43. 00:33:24 KR, 11, Seoul
44. 00:33:50 CN, 02, Hangzhou
45. 00:35:44 ES,   
46. 00:36:05 US, MI, Holly, 48442
47. 00:37:30 FR, A8, Paris
48. 00:39:31 PL, 80, Jedlicze
49. 00:40:20 CN, 23, Shanghai
50. 00:41:48 CN, 32, Chengdu

** Note that GeoIP data changes so any use of such data may introduce un-expected or non-positive results so plan on regular system reviews; GeoIP data must be updated at least monthly.

Topics: Computer Technology, Problem Solving, System and Network Security, Unix-Linux-Os | Comments Off on Blocking ssh server attacks (11/2011)

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________