* 122,094 (~35%) are in the rockyou dump (which has 14,344,391 unique entries)
* 2898 passwords in my list of cracked linkedin passwords, excluding those in the rockyou dump (2,002,484 unique entries)
* 27,639 are in the phpbb dump i have (184,344 unique entries)
If you're running an ssh server that allows password authentication, make sure you're also running fail2ban.[1] Too many failed login attempts will block the IP (at an iptables level) for a configurable time period.
I assume that he's pointing out that even better than running something like fail2ban (or "pf", where available) is not allowing SSH connections from 0/0.
If you don't improve the 'hardness' of the authentication scheme - that is, if you continue to use a password instead of, say, SSH keys - then, for all intents and purposes, you've just made the system more _obscure_, rather than improving _actual_ security.
To be sure, a dedicated brute forcer could still brute force any system using f2b... it just might take a few months/years instead of a few days.
(However, as noted by other commenters, there's something to be said about obscurity within a system's overall security scheme. You just have to strike a balance...)
I can confirm that changing the port does drastically reduce login attempts but also that it is not to zero, I had 45 yesterday, for instance but here's the kicker - all from the same IP.
Setup and maintenance are virtually zero though, for f2b. I know, I just installed it.
A one liner to install on most systems and updates along with everything else when your package manager does the updates.
It looks like ever wrote the scanner (that hit this honeypot) thought it would be a great idea to count on instances where terminal becomes laggy/crashes during a password change.
Adminstrator would then set a new password by an accident.
Hang any SSHD on the internet, and within minutes you get these attempts. You can choose to log the passwords if you like and this is what you would see.
Wow you're right. I just setup my own VPS yesterday. Decided to check the auth logs and the first invalid user attempt occurred less than 3 hours from my first login.
The "POSSIBLE BREAK-IN ATTEMPT!" message worried me for a bit but a little googling and the fact I've disabled password login calmed me down.
Presumably, changing my sshd port will drastically reduce these attempts right? Or do attackers routinely port scan servers?
Huh? Always encrypt the ssh-key, and use ssh-agent for convenience. That said it is now quite easy to set up proper two-factor authentication: eg key and otp.
On OS X, the keychain app caches the private key password forever. Even after a reboot. Any idea how to fix this? Ideally Keychain should ask me again (say) an hour after my last login with the same key.
I don't think you can set this at a key-specific level, but in Keychain Access, you can ctrl-click on the keychain and set it to lock after x min of inactivity / when sleeping.
I'm not sure if you can put your ssh keys on a specific (non-login) keychain.
If you want those, you may want to go to Keychain Access > Preferences > First Aid > uncheck "Keep login keychain unlocked".
You can drag-and-drop items between keychains -- you just need to enter the passwords for both keychains when doing so.
This makes it possible to keep valuable items in one or more auxiliary keychains set to always prompt (lock after 0 minutes). (This technique isn't a panacea but it contributes to defense in depth.)
However, it doesn't solve the agent caching problem. Once a key has been added the agent, Keychain never asks again, even after it's locked.
ssh-add has an option "-t <seconds>" to make added keys automatically expire. That will work, but it only works for newly added keys. As far as I can tell, the Keychain helper calls ssh-add to add keys, and I don't see a way to have it pass -t.
Edit: Looks like holmar's suggestion below to change the ssh-agent daemon to run with -t would fix this.
At work we have to send data to a few third parties, it's pretty much up to them how they set up their end. I think everything is using SFTP at least, but a few still have passwords rather than keys. The accounts are restricted so you can't get a full shell though. My guess is these systems are designed by non-technical people who don't really understand the issues.
When I was first introduced to SSH, the administrator had me transmit my public key to them and they added it to my account themselves, and that's how I've done it on all the servers I administrate since. This way, you can disable password authentication entirely.
I'm considering using those yubikey modes for ssh or local login on certain servers and in certain situations, though it requires some changes on each server to enable it.
I'm quite fond of the Yubikey NEO's openpgp applet paired with gpg-agent's ability to act as a compatible ssh-agent, allows standard SSH key login to any server with no server changes at all. I love the idea of my GPG and SSH key being truly portable in a very reasonably sized formfactor as well.
I would be curious to know why this got downvoted. I went looking for "correct horse battery staple" and then realized that apparently the bots hadn't tried any passwords with spaces in them, but also that the patch uses spaces as a delimiter...
Alternatively or in addition, add a firewall rule to permanently ban any IPs after too many failed attempts or simultaneous connections, make sure root login is disabled, and/or put sshd on a non-standard port (I find the last one a bit of security theater, but it will reduce some wasted traffic if nothing else.) Here's my pf rule for ssh (brute force filter):
table <sshbans> persist
block quick from <sshbans>
pass quick proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <sshbans> flush global)
Raise the values a bit if you have other SSH users on your box.
I get about 50 new bans a day. It's pretty much guaranteed if you have a server on the web with port 22 open, that bots will be attempting to brute-force it.
There's 350,032 unique passwords in there.
* 122,094 (~35%) are in the rockyou dump (which has 14,344,391 unique entries) * 2898 passwords in my list of cracked linkedin passwords, excluding those in the rockyou dump (2,002,484 unique entries) * 27,639 are in the phpbb dump i have (184,344 unique entries)