SSH Brute Force Spotted

New reports are filtering in to SANS' Internet Storm Center about a new SSH brute force script, possibly named "dd_ssh."

If you're not familiar with SSH attack, it is a pretty simple concept: use an automated program for trying, one after the other, many combinations of standard or frequently used account names and likewise frequently used passwords. Once a compromise occurs, the attack can begin to scan other machines on the server through TCP port 22, and attempt to log on. This particular attack most likely gets dropped onto Web servers via an older phpmyadmin vulnerability, according to the handlers of the ISC.

SSH scanning can be very detrimental to a network, and the machines on the network. However there are a number of defenses, including strong passwords, RSA authentication, iptables, sshd logs, tcp wrappers and port knocking.

If you don't use passwords, but RSA authentication, a brute force search for a valid password will be rendered useless. Iptables can limit the number of connections allowed to the server over time. If the rate is exceeded, the other connections attempting to get on will be blocked. With the sshd logs, it is possible to scan the syslog entries written by the sshd daemon (the program that listens for network connections) for ongoing attacks, and block the attacker. It is also possible to let the tcp wrapper library start a script whenever a connection is made, and let this script add rules determine what should be allowed in and what should be blocked. Port knocking eliminates the need for having ssh listen on an open port, but can be difficult to learn for the average user.

Adam Ross is managing editor at the SANS Institute and wrote, edited, and Web produced for The Washington Post's opinions and politics sections, online and in print. You can reach him at aross@nextgov.com.