Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-20-2005, 03:23 PM
ynyng ynyng is offline
Registered User
 
Join Date: Oct 2005
Posts: 6
Dictionary Attacks

Running VShell on Windows platform. I've seen several posts in other forums about preventing brute force dictionary attacks. My logs fill every day with such attempts, some lasting for hours. When I see these, I add the offending IP to the connection filter. It would be nice, however, if VShell had the ability to recognize failed login attempts by IP address and auto-block them. Any thoughts on this feature?
Reply With Quote
  #2  
Old 10-20-2005, 04:03 PM
kelli.burki's Avatar
kelli.burki kelli.burki is offline
Registered User
 
Join Date: Jan 2004
Location: VanDyke Software
Posts: 33
Making a change to dynamically update the connection filters in the event of a suspected dictionary attack is easier for Windows than it is for UNIX servers. Which platform are you running on?

Also, here are a few other questions that I would love your feedback on if we implemented this (other's please chime in too):

1. Do you want VShell to update / integrate w/ existing filter list?

2. Do you want the dynamic entries to persist across restart?

3. Do you want timeouts or thresholds?

4. Do you want the option to let the attacker think he/she/it is continuing to make progress?

5. Do you want to be able to minimize the effect of the dynamic response on legitimate connections from the attacking IP?

--kelli
Reply With Quote
  #3  
Old 10-20-2005, 04:32 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 378
I too noticed this on my Linux Vshell. I have since changed the ssh port in vshell to over 25000 .... port scans will take forever to get up that high!

With regards to the filters above ...
Quote:
2. Do you want the dynamic entries to persist across restart?
Yes.

In addition:
Is a specific vshell password/user db (like /etc/passwd) going to be implemented? There was talk a while back, but haven't heard much since.
__________________
----------------------------------------------
Tom O'Loughlin
Reply With Quote
  #4  
Old 10-20-2005, 07:34 PM
ynyng ynyng is offline
Registered User
 
Join Date: Oct 2005
Posts: 6
Wow . . .

Nice response time. Thanks! We run Win2k3 servers in DMZ behind PIX 515E. Am also running VShell 2.3b1 on a Win2k3 x64 test server now. Regarding your other Q's:

1. This would be nice. Once used a product from Internet Security Systems that integrated manual and auto filters into one list (with different icons for easy differentiation). The system administrator had the ability to edit or delete items in either category on the list.

2. Absolutely.

3. If I understand the question, both, but not necessarily in the the context of your existing software design. A disconnection from the present VShell server for either (a) bad logon attempts or (b) an authentication timeout is not a deterent since the server does not prevent the hacker from reconnecting immediately. (My log today had 59MB of such attempts from Asia Pac). It would be nice if the software would auto-block an IP address using the connection filter under administratively set parameters: (Var A) # failed logon attempts from a single IP within (Var B) specific time period results in (Var C) IP blocking for a specific length of time. Does this make sense?

4. No, because of possible bandwidth issues. I'd rather they go away.

5. Yes.

Thanks for listening!
Reply With Quote
  #5  
Old 10-20-2005, 11:06 PM
kelli.burki's Avatar
kelli.burki kelli.burki is offline
Registered User
 
Join Date: Jan 2004
Location: VanDyke Software
Posts: 33
Quote:
Originally Posted by toloughlin
Is a specific vshell password/user db (like /etc/passwd) going to be implemented? There was talk a while back, but haven't heard much since.
I'm a little confused, are you asking for a different user database to authenticate against, or to use /etc/passwd ?

A while back we were exploring several options -- an api that would allow you a username password against whatever backend you wanted to use it with (i.e. MySQL or something like that). Is that what you're asking about?

If so, we had talked about that, but had much greater requests for more established auth methods like PKI etc. thus the 2.5 UNIX x.509 certificates. I haven't actually had a request for the separate user db auth for a little while.

Do you mind exploring with me, I'd love to hear about what business objectives you'll be meeting with this option.

--kelli
Reply With Quote
  #6  
Old 10-20-2005, 11:23 PM
kelli.burki's Avatar
kelli.burki kelli.burki is offline
Registered User
 
Join Date: Jan 2004
Location: VanDyke Software
Posts: 33
Quote:
Originally Posted by ynyng
Am also running VShell 2.3b1 on a Win2k3 x64 test server now.
2.3b1 or 2.5b1? I'm very interested in how that is working for you.

Quote:
Originally Posted by ynyng
1. This would be nice. Once used a product from Internet Security Systems that integrated manual and auto filters into one list (with different icons for easy differentiation). The system administrator had the ability to edit or delete items in either category on the list.
Thanks -- the different icon thing is a very nice idea.

Quote:
Originally Posted by ynyng
3. If I understand the question, both, but not necessarily in the the context of your existing software design. A disconnection from the present VShell server for either (a) bad logon attempts or (b) an authentication timeout is not a deterent since the server does not prevent the hacker from reconnecting immediately. (My log today had 59MB of such attempts from Asia Pac). It would be nice if the software would auto-block an IP address using the connection filter under administratively set parameters: (Var A) # failed logon attempts from a single IP within (Var B) specific time period results in (Var C) IP blocking for a specific length of time. Does this make sense?
Nice. Makes a lot of sense. I like the three different ways of controlling. Would you tie the "bad logon attempts" to the same setting we currently have for bad logon attempts or have a new one specifically for this purpose? I guess, I'm asking, is there a reason (less confusing, greater flexibility, etc.) that you might want both of them?

If this situation came up (dictionary attack like you described above) -- where would (or did) you go looking for this feature hoping to find an answer?

If you didn't find it, what would you be searching for in the help?

Quote:
Originally Posted by ynyng
4. No, because of possible bandwidth issues. I'd rather they go away.
No problem. I think that makes our life easier, but good to know your thoughts here.
Reply With Quote
  #7  
Old 10-20-2005, 11:36 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 378
Quote:
I'm a little confused, are you asking for a different user database to authenticate against, or to use /etc/passwd ?

A while back we were exploring several options -- an api that would allow you a username password against whatever backend you wanted to use it with (i.e. MySQL or something like that). Is that what you're asking about?
In my mind, I remembered this thread:
http://forums.vandyke.com/showthread.php?t=338

I thought there was going to be something unique to VShell, where I don't have to mesh a local & remote-only database. I'll have to look further into X.509 ... haven't had to work with is, so I haven't explored it.

I have local users, they need shell access, etc ... the full boat; I have customers that only need SFTP - so, I don't need them in my Linux passwd file (so I think).

Let me do some more looking into it ... but feel free to shoot back some thoughts.
__________________
----------------------------------------------
Tom O'Loughlin
Reply With Quote
  #8  
Old 10-21-2005, 10:17 AM
ynyng ynyng is offline
Registered User
 
Join Date: Oct 2005
Posts: 6
Quote: 2.3b1 or 2.5b1? I'm very interested in how that is working for you.

2.5b1. It is working fine.

Quote: Would you tie the "bad logon attempts" to the same setting we currently have for bad logon attempts or have a new one specifically for this purpose? I guess, I'm asking, is there a reason (less confusing, greater flexibility, etc.) that you might want both of them?

I would integrate configuration options into the existing "Authentication Options", and programmatically add the IP source of the bad attempts to the connection filter. As I said, the current authentication options really provide no benefit since the offender can immediately reconnect.

Quote: If this situation came up (dictionary attack like you described above) -- where would (or did) you go looking for this feature hoping to find an answer?

I went straight to authentication options and was actually suprised that the program has no was to prevent offenders from reconnecting at will. I then researched triggers; I assumed I might be able to somehow script a trigger which would add offending IP to the connection filter, but wrote to the forum instead since this seemed like a basic feature easily added to the core program. ;-)
Reply With Quote
  #9  
Old 11-28-2005, 08:58 PM
MrC MrC is offline
Registered User
 
Join Date: Mar 2004
Posts: 216
Ideally, you really want this reactive blocking in your firewall / IDS system, not in vshell. Since attackers often attack multiple vectors, blocking out the suspect IP or IP range for all services is much more secure.
Reply With Quote
  #10  
Old 11-29-2005, 02:23 PM
MikeStammer MikeStammer is offline
Registered User
 
Join Date: Nov 2005
Posts: 24
Can you switch over to public/private key based authentication and disable keyboard interactive logins on the server? Thats what I did, so let em bang on the door all day long. Unless they have a key file AND the password they wont ever get in.

Sure you still get stuff in your logs but dynamic filtering is a tricky thing, be it at the firewall side or the SSH server side
Reply With Quote
  #11  
Old 12-15-2005, 08:37 PM
rblackwell's Avatar
rblackwell rblackwell is offline
Registered User
 
Join Date: Dec 2005
Posts: 4
Okay, it is so close to Christmas that I'm going to put forward my anti-Dictionary Attack wish. That is, that VShell would handle brute force attacks in a similar way that W2k3 does. W2k3 can be configured such that if it gets x bad logon attempts in y minutes, the account being tried is disabled for z minutes.

VShell would not disable accounts however. Rather it would drop connection requests from offending hosts. Specifically, the administrator would configure VShell such that if it received x bad logon attempts in y minutes, the IP address of the offending host would be blacklisted and connections from it would be denied for z minutes. In this scenerio, x and y are integers >= 1 , and z is an integer = -1 or >= 1. If z = -1, the blacklisting would not expire and remain in effect until cleared by an administrator (manually or via some script). Finally, IP addresses/blocks with z value could be manually added by the administrator to the blacklist.

Keeping a permanent blacklist would not be helpful to us (even though I've allowed for it above). We need to provide access world-wide. Besides, the script-kiddies banging on our doors are not coming from the same IP address/block, and IP spoofing is not difficult. Such an approach would be like locking doors that are not going to be tried again. Rather, I believe that throwing up enough speed bumps in front of these tykes will get them to move on to more fertile ground.

So, to answer Kelli's questions from Oct 20:

1. Sure!
2. Yes, please.
3. Goes without saying -- speaks directly to the point!
4. Oh boy! Tar pits! Well, only if you're feeling a wee mischievous, but don't put yourself out on my account.
5. Ummm. Do you mean if the attacker gets the password correct that we can expediate their connection? No, but thanks for asking.

Cheers!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 08:57 AM.