sshguard-users

[Sshguard-users] Subject: Re: Username Blacklisting

[Laurence P. (OE) <lpe...@op...>]

Message-ID: <555...@gm...>


> >> Having the option of scoring certain usernames as high danger
> attempts,
> >> or perhaps as danger 1+fractional multipliers, could be a clean way
> to
> >> implement such a feature.
> > 
> > I hadn't thought of doing it that way, but that would likely be more
> useful as you could
> > use it to set up multiple, different levels of paranoia for
> different users.  Especially
> > if you can use a fractional multiplier to effectively raise the
> threshold for guest accounts
> > and the like.
> 
> How would this work? Raise the danger of the attack so that two
> attempted logins with 'root' or similar usernames would be blocked?
> How
> would SSHGuard know which usernames to do this for? Would it be built
> into the binary, or added as a configuration at run-time?
> 
> (With your use case, why not just lower the blocking threshold?)
> 
> Thanks,
> Kevin Zheng

It would pretty well have to be added as a configuration at runtime
since the list of prohibited usernames would vary per system.

My original thought was to have a list where even attempting to log in
with one of the names resulted in an immediate block.  E.g.: The root
account on my machine is disabled.  Anyone who even attempts to use it
is necessarily an unauthorized attacker and should be blocked
immediately.  There is no reason to wait for them to try more than once
(or even to let them finish the first attempt really).  Same thing goes
for various other account names that are commonly tested by attackers
and that don't even exist on my machine.  User accounts that do exist
where someone could legitimately be having trouble remembering their
password need to not lock the user out for fat-fingering their password
a couple of times though.

If the list were implemented as a "danger multiplier" then it could be
calibrated so that root login attempts get blocked instantly, logins to
my account get blocked after just a couple of attempts, and logins to
some of my more absent-minded users get a little extra grace.  It's
probably not worth going to a lot of extra trouble to implement it this
way, but if username blacklisting is easiest to do by adjusting the
danger for listed accounts then reading a custom multiplier from the
account list for each account wouldn't take much more effort.  Just
being able to blacklist accounts, however, would eliminate the vast
majority of attackers as nearly all of them seem to hit the same list of
default usernames.


LMP

Re: [Sshguard-users] Subject: Re: Username Blacklisting

[Kevin Z. <kev...@gm...>]

On 05/15/2015 10:58, Laurence Perkins (OE) wrote:
> It would pretty well have to be added as a configuration at runtime
> since the list of prohibited usernames would vary per system.

Perhaps a flat text file, with one username per line?

> My original thought was to have a list where even attempting to log in
> with one of the names resulted in an immediate block.  E.g.: The root
> account on my machine is disabled.  Anyone who even attempts to use it
> is necessarily an unauthorized attacker and should be blocked
> immediately.  There is no reason to wait for them to try more than once
> (or even to let them finish the first attempt really).  Same thing goes
> for various other account names that are commonly tested by attackers
> and that don't even exist on my machine.  User accounts that do exist
> where someone could legitimately be having trouble remembering their
> password need to not lock the user out for fat-fingering their password
> a couple of times though.

Makes sense. Especially at the point which a user account (e.g. root) is
disabled, any attempted login is certainly an attack.

> If the list were implemented as a "danger multiplier" then it could be
> calibrated so that root login attempts get blocked instantly, logins to
> my account get blocked after just a couple of attempts, and logins to
> some of my more absent-minded users get a little extra grace.  It's
> probably not worth going to a lot of extra trouble to implement it this
> way, but if username blacklisting is easiest to do by adjusting the
> danger for listed accounts then reading a custom multiplier from the
> account list for each account wouldn't take much more effort.  Just
> being able to blacklist accounts, however, would eliminate the vast
> majority of attackers as nearly all of them seem to hit the same list of
> default usernames.

Actually, most of the work is probably going to be extracting the
username and passing it to the attack reporter. I'll start working on a
proof-of-concept soon and keep you updated.

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] Subject: Re: Username Blacklisting

[James H. <jam...@gm...>]

Many of the logs already parsed include usernames so it sounds like
adjusting the lexer/ parser expressions to pick out the name and include
them in the values passed back. Since we already have internet scales for
block and black list a simple integer multiplier should work for vouching
up the threat level.

I would suggest something like
Username:multiplier
Which keeps it paswd like. We could add more values in the future. In
addition to a multiplier I could see someone wanting to just set a value
instead of using multipliers.

Username:multiplier:setvalue

root::100
bob:2:

Setting any root attempt to 100 threat level and doubling the value Bob
would otherwise get.
On May 15, 2015 9:16 AM, "Kevin Zheng" <kev...@gm...> wrote:

> On 05/15/2015 10:58, Laurence Perkins (OE) wrote:
> > It would pretty well have to be added as a configuration at runtime
> > since the list of prohibited usernames would vary per system.
>
> Perhaps a flat text file, with one username per line?
>
> > My original thought was to have a list where even attempting to log in
> > with one of the names resulted in an immediate block.  E.g.: The root
> > account on my machine is disabled.  Anyone who even attempts to use it
> > is necessarily an unauthorized attacker and should be blocked
> > immediately.  There is no reason to wait for them to try more than once
> > (or even to let them finish the first attempt really).  Same thing goes
> > for various other account names that are commonly tested by attackers
> > and that don't even exist on my machine.  User accounts that do exist
> > where someone could legitimately be having trouble remembering their
> > password need to not lock the user out for fat-fingering their password
> > a couple of times though.
>
> Makes sense. Especially at the point which a user account (e.g. root) is
> disabled, any attempted login is certainly an attack.
>
> > If the list were implemented as a "danger multiplier" then it could be
> > calibrated so that root login attempts get blocked instantly, logins to
> > my account get blocked after just a couple of attempts, and logins to
> > some of my more absent-minded users get a little extra grace.  It's
> > probably not worth going to a lot of extra trouble to implement it this
> > way, but if username blacklisting is easiest to do by adjusting the
> > danger for listed accounts then reading a custom multiplier from the
> > account list for each account wouldn't take much more effort.  Just
> > being able to blacklist accounts, however, would eliminate the vast
> > majority of attackers as nearly all of them seem to hit the same list of
> > default usernames.
>
> Actually, most of the work is probably going to be extracting the
> username and passing it to the attack reporter. I'll start working on a
> proof-of-concept soon and keep you updated.
>
> Thanks,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>