Posts Tagged ‘firewall
Preventing SSH Dictionary Attacks
A first line of defense in preventing a computer attack is the firewall. Firewalls, either network based or host based, are configured to allow or deny connections into or out of its perimeter based on the protected entity’s security policy.The policy states what types of connections are allowed into or out of the entity. However, when network service such as SSH must be offered, the firewall is configured to allow connections to the service. The solution needed is an application that can detect a dictionary attack and dynamically apply firewall blocking rules against the source of the dictionary attack. This solution already exists.The following is a short list of available applications that offer protection against the SSH dictionary attack:
- Snort Intrusion Detection System
- DenyHosts application program
- OpenSSH timelox software patch
- SSHD_Sentry application program
These applications detect SSH dictionary attacks against alocal host and can be configured and/or modified to automatically apply firewall blocking rules to the local host from the source of the attack.
Classically, firewalls and access control mechanisms are implemented as static protection mechanisms. The rules are configured based on the security policy for the host or network that these devices protect, and the rules remain constant unless there is a security policy change. Intrusion detection is technology designed to monitor hosts and/or networks. These systems monitor a host or network based on configurable rules and specifications. Once abnormal activity is observed, the system will send an alert to the system administrator. It is the responsibility of the system administrator to act on the alerts they receive from the detection system. Unfortunately, the response time of human administrators is too slow compared to the speed of modern day attacks. As a result, research in the field of intrusion detection has begun to focus on the concept of Active Response. Active response is the act of detection systems dynamically responding to real time attacks without the need of human advisory. Indeed, the detection techniques listed in this section are simple mechanisms that offer active response by dynamically blocking access to servers from the sources of SSH dictionary attacks.
The solutions listed above work well for protecting the local host from a dictionary attack. However, we posit that a distributed solution that offers dissemination of the detection information and security policy to participating neighbors can offer greater security by way of preemptive and proactive protection.