For the past few weeks I have been looking at an old issue. You see in 1995 I started an Internet Service and as soon as I started bringing servers online I noted that there were random ssh login attempts to our systems. Back then it was easy to block IP addresses and be done with it but it's not that cut and dry today. With natting, apache name directives and web server naming conventions a single IP address can host thousands of individual websites and the chances of blocking a legitimate service is pretty high but guess what? We don't care.
We have taken the stance that if we see your boxes behaving badly and your not taking any action to resolve the situation then we will block you from our systems and all systems that we manage. A quick check our our system indicates that we have 57 million indicators of attack or compromise. When we filter with ssh as a keyword we noted that 255,096 host are currently on our blacklist for ssh brute force attempts and another 2.7 million are on the alert list for scanning. The 255,096 number may look small on the scale of things but the originating sources are very interesting in deed.
The majority of the scanning activity being seen is coming from some predictable locations to include Asia/China, Russia and some locations in South America. In fact 79% of the attacks on our sensors are from the listed locations.
Our top 5 locations seen brute forcing ssh accounts this past week:
1. China
2. Russia
3. Amsterdam
4. Valenzuela
5. Turkey
What's interesting is that the attacks are noisy and easily detected yet many network administrators continue to allow traffic from these locations. In an upcoming post we will be sharing a list of country blocks that should eliminate around 95% of the ssh scanning activity you will see on your networks.
One things for sure, ssh scanning will be here for many, many years to come. A solution is to eliminate interactive logins and utilize certificate based login. This method allows you to collect information and be fairly certain that your systems won't be attacked in this manner. Adding 2 factor authentication pretty much ensures that nobody will get by your ssh defense.
 
No comments:
Post a Comment