Distributed SSH attacks bypass blacklists
In the past few weeks, attackers have apparently tried to outwit several defensive measures using distributed attempts to log into SSH services. During the attack, several computers with different IP addresses make a synchronised attempt to log into an SSH server using the same name. Every attacking computer uses a different password taken from a dictionary, or tries a pre-calculated combination.
Tools like DenyHosts, BruteForceBlocker or fail2ban for preventing attacks on SSH servers usually count the number of failed log-in attempts from one IP address and enter addresses that exceed a given threshold on a blacklist (usually
/etc/hosts.deny) or as a rule in the firewall. The system subsequently blocks any further log-in attempts from blacklisted remote IP addresses.
The distributed method prevents the tools from flagging attackers after only a few log-in attempts. Depending on the scale of the distributed attack, several thousand attempts to log into an account can be made. The attacks are suspected to be carried out by botnets.
One measure to prevent the attacks is to reassign the SSH port. However, it can't be ruled out that attackers may perform a port scan and redirect the bots to the reassigned port before launching future attacks. As an alternative, users should consider cryptographic keys for SSH authentication.