Using sshdfilter to secure an SSH server

Since moving my OpenSSH server down to its standard port number I have been hit daily by service scanning software and brute force password attacks. Gerry pointed out that sshdfilter can help.

sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output and generating iptables rules, the process can be quick enough to block an attack before they get a chance to enter any password at all.

It’s quick and simple to setup, I enabled email alerts to see what it gets upto and can report it is all working fine on my servers (Red Hat 9 customised).

It will block when triggered by:

  • An attempt to login as a user which doesn’t exist
  • After N failed attempts to login to an existing user account
  • If the incoming connection fails to provide an SSH version banner which is part of the SSH protocol, it’s most likely a port scanner or dumb client
  • The length of time the block remains in place is all configurable.

    Instant Password Recovery Tool

    I made this back in April 2004, it only took a couple of hours to write and build the database.

    Basically, I took a wordlist of 535,683 words and hashed them in MD5, SHA1 & LANMAN. The results are stored in a simple MySQL table, indexes on that table make lookups REALLY fast and thats about it. You enter the hash you want to lookup, select the type of hash it is *if you know it*, then hit “Look It Up”.

    The MySQL table is fairly lightweight, 535,683 rows, 48,164 KB total ( 37,030 KB of Data, 11,134 KB of Indexes ).

    It’s mostly useful for recovering / auditing passwords on web applications like PhpBB & Bugzilla where the database stores unsalted hashes. It found about 90% of the passwords on a PhpBB message board I administer. You can also use it to test Windows NT/2000 passwords provided you’ve extracted the LANMAN hashes from the system first.