Auto Block SSH/FTP Brute Force Attacks
Saturday, April 5th, 2008 1:16PM UTC
All managed servers, managed VPSes, shared and reseller hosting now have SSH and FTP protection. Brute force attacks are now automatically blocked from either data center. These attacks are on the rise and we needed to block any possible entry into our network and waste CPU/network resources. Since we now have this feature in place we will re-enable SSH on all IPs per server/VPS. This now means you will be able to connect via SSH with your domain name and not just the VPS/server name.
For those who care about the technical details keep reading below…
We looked into many existing options out there (DenyHosts, APF, CSF, and sshguard to name a few) with the exception of DenyHosts they all seemed to be focused on the single server/VPS instance and not looking the bigger picture. One of the advantages of being with a managed VPS/server provider like us is we see trends at the global level. All managed, and shared servers are monitored very closely. The attacks we’ve seen lately, the hackers know these auto block services are installed and now do a much more distributed attack. It’s not uncommon to see one bad login per hour per unique IP address. The tools that focus on attacks per server just don’t cut it anymore.
We also had a few other requirements:
- be able to monitor attacks at the network wide level
- quickly (under 2 min.) block new attacks that occur
- work on each server/VPS that we manage
Based upon these requirements, we decided it was best to roll our own system. Without giving away too much technical or security details we’ve created a local DNSBL that we can add IPs to block. We wound up having to create a patched version of tcp_wrappers to support the ‘aclexec’ feature, and proftpd mod_dnsbl module that supports DNSBL usage. This has been sent out to all servers/VPS that we manage on our network. The solution in the end wound up being a very effective and simple solution.
Now I suppose you’ll ask, “Will my legitimate SSH/FTP connection be blocked by mistake?” I won’t give away specific details but I will say you’ll have to enter a considerable amount of bad passwords before this happens. In the unlikely event it does happen you will have to contact support to remove the blockage. Our system is smart enough to know what kind of attack is occurring.
In the future we may block other attacks using this system. IMAP and POP attacks are increasing and may thwart these attacks also.
We’ve basically created a botnet to block other botnets. Can anyone say Skynet? I’m waiting for Arnold to say “All be Back!”. It’s been said that over 90% of all network traffic are bots (botnets, search engine spiders, RSS feeders, etc.). It’s safe to say these attacks won’t be back, at least not on our network.