Discussion:
SSHD Master: breakin detection algorithm?
(too old to reply)
Selden E Ball Jr
2007-09-24 15:20:23 UTC
Permalink
Gentle folk,

What, if anything, does SSHD do to detect breakin attempts?
What does it do when they are detected?
Has this been improved in recent versions of SSH?

I was noticing this morning that SSHD is using a significant
amount of CPU time responding to failing login attempts.
All of the associated logging and other resource usage can get
rather exasperating at times.

Thanks for whatever clarification can be provided.

Process Software MultiNet V5.1 Rev A-X, Digital Personal WorkStation , OpenVMS AXP V7.3-2
With patch kit SSH-040_A051 applied.

Selden
======
Selden E. Ball, Jr.

Cornell University Voice: +1-607-255-0688
Laboratory for Elementary-Particle Physics FAX: +1-607-255-8062
LT105 R. R. Wilson Laboratory http://www.lepp.cornell.edu/~seb/
Dryden Road Internet: ***@LEPP.CORNELL.EDU
Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS62::SEB = 44284::SEB
Dan O'Reilly
2007-09-24 15:49:16 UTC
Permalink
It doesn't do much of anything. However, I've been doing some research
regarding ways of allowing some components (SSH being one example) of
creating packet filters in the kernel. These would likely be based on
algorithms unique to each component, so, for example, SSH could have
different filter triggers than telnet or ftp would. These packet filters
would likely be transient things; for example, the first trigger might
cause a filter enabled for 3 minutes, the second trigger for 10 minutes,
the 3rd filter trigger until a reboot is done.
Post by Selden E Ball Jr
Gentle folk,
What, if anything, does SSHD do to detect breakin attempts?
What does it do when they are detected?
Has this been improved in recent versions of SSH?
I was noticing this morning that SSHD is using a significant
amount of CPU time responding to failing login attempts.
All of the associated logging and other resource usage can get
rather exasperating at times.
Thanks for whatever clarification can be provided.
Process Software MultiNet V5.1 Rev A-X, Digital Personal WorkStation , OpenVMS AXP V7.3-2
With patch kit SSH-040_A051 applied.
Selden
======
Selden E. Ball, Jr.
Cornell University Voice: +1-607-255-0688
Laboratory for Elementary-Particle Physics FAX: +1-607-255-8062
LT105 R. R. Wilson Laboratory http://www.lepp.cornell.edu/~seb/
Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS62::SEB = 44284::SEB
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
Ken Connelly
2007-09-24 15:57:21 UTC
Permalink
Sounds useful! All of the timing (or use at all) would be configurable
by the local site?

- ken
Post by Dan O'Reilly
It doesn't do much of anything. However, I've been doing some
research regarding ways of allowing some components (SSH being one
example) of creating packet filters in the kernel. These would likely
be based on algorithms unique to each component, so, for example, SSH
could have different filter triggers than telnet or ftp would. These
packet filters would likely be transient things; for example, the
first trigger might cause a filter enabled for 3 minutes, the second
trigger for 10 minutes, the 3rd filter trigger until a reboot is done.
Post by Selden E Ball Jr
Gentle folk,
What, if anything, does SSHD do to detect breakin attempts?
What does it do when they are detected?
Has this been improved in recent versions of SSH?
I was noticing this morning that SSHD is using a significant
amount of CPU time responding to failing login attempts.
All of the associated logging and other resource usage can get
rather exasperating at times.
Thanks for whatever clarification can be provided.
Process Software MultiNet V5.1 Rev A-X, Digital Personal WorkStation , OpenVMS AXP V7.3-2
With patch kit SSH-040_A051 applied.
Selden
======
Selden E. Ball, Jr.
Cornell University Voice: +1-607-255-0688
Laboratory for Elementary-Particle Physics FAX: +1-607-255-8062
LT105 R. R. Wilson Laboratory
http://www.lepp.cornell.edu/~seb/
Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS62::SEB = 44284::SEB
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who
don't." |
| http://www.process.com
| |
+-------------------------------+----------------------------------------+
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
email: ***@uni.edu p: (319) 273-5850 f: (319) 273-7373
Dan O'Reilly
2007-09-24 16:07:11 UTC
Permalink
I'm not sure exactly how everything would look/interact just yet. All
input from interested customers is, of course, welcome, and that applies to
all components (e.g., telnet, ftp, whatever), not just for SSH. The basics
for handling this are already in the kernel, what I'm working on now is an
API specification and implementation for external components to use this.
Sounds useful! All of the timing (or use at all) would be configurable by
the local site?
- ken
Post by Dan O'Reilly
It doesn't do much of anything. However, I've been doing some research
regarding ways of allowing some components (SSH being one example) of
creating packet filters in the kernel. These would likely be based on
algorithms unique to each component, so, for example, SSH could have
different filter triggers than telnet or ftp would. These packet filters
would likely be transient things; for example, the first trigger might
cause a filter enabled for 3 minutes, the second trigger for 10 minutes,
the 3rd filter trigger until a reboot is done.
Post by Selden E Ball Jr
Gentle folk,
What, if anything, does SSHD do to detect breakin attempts?
What does it do when they are detected?
Has this been improved in recent versions of SSH?
I was noticing this morning that SSHD is using a significant
amount of CPU time responding to failing login attempts.
All of the associated logging and other resource usage can get
rather exasperating at times.
Thanks for whatever clarification can be provided.
Process Software MultiNet V5.1 Rev A-X, Digital Personal WorkStation , OpenVMS AXP V7.3-2
With patch kit SSH-040_A051 applied.
Selden
======
Selden E. Ball, Jr.
Cornell University Voice: +1-607-255-0688
Laboratory for Elementary-Particle Physics FAX: +1-607-255-8062
LT105 R. R. Wilson Laboratory
http://www.lepp.cornell.edu/~seb/
Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS62::SEB = 44284::SEB
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com
| |
+-------------------------------+----------------------------------------+
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
Ken Connelly
2007-09-24 16:19:10 UTC
Permalink
I would not be in favor of "filter/discard until reboot" setting.
However, "filter/discard until the system manager clears the filter"
would be fine for a "third strike" for repeat offenders, e.g., strike 1:
filter for 5 minutes, strike 2: filter for 30 minutes, strike 3: filter
until cleared (or reboot).

-ken
Post by Dan O'Reilly
I'm not sure exactly how everything would look/interact just yet. All
input from interested customers is, of course, welcome, and that
applies to all components (e.g., telnet, ftp, whatever), not just for
SSH. The basics for handling this are already in the kernel, what I'm
working on now is an API specification and implementation for external
components to use this.
Post by Ken Connelly
Sounds useful! All of the timing (or use at all) would be
configurable by the local site?
- ken
Post by Dan O'Reilly
It doesn't do much of anything. However, I've been doing some
research regarding ways of allowing some components (SSH being one
example) of creating packet filters in the kernel. These would
likely be based on algorithms unique to each component, so, for
example, SSH could have different filter triggers than telnet or ftp
would. These packet filters would likely be transient things; for
example, the first trigger might cause a filter enabled for 3
minutes, the second trigger for 10 minutes, the 3rd filter trigger
until a reboot is done.
Post by Selden E Ball Jr
Gentle folk,
What, if anything, does SSHD do to detect breakin attempts?
What does it do when they are detected?
Has this been improved in recent versions of SSH?
I was noticing this morning that SSHD is using a significant
amount of CPU time responding to failing login attempts.
All of the associated logging and other resource usage can get
rather exasperating at times.
Thanks for whatever clarification can be provided.
Process Software MultiNet V5.1 Rev A-X, Digital Personal
WorkStation , OpenVMS AXP V7.3-2
With patch kit SSH-040_A051 applied.
Selden
======
Selden E. Ball, Jr.
Cornell University Voice: +1-607-255-0688
Laboratory for Elementary-Particle Physics FAX: +1-607-255-8062
LT105 R. R. Wilson Laboratory
http://www.lepp.cornell.edu/~seb/
Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS62::SEB = 44284::SEB
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who
don't." |
| http://www.process.com
| |
+-------------------------------+----------------------------------------+
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who
don't." |
| http://www.process.com
| |
+-------------------------------+----------------------------------------+
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
email: ***@uni.edu p: (319) 273-5850 f: (319) 273-7373
David J Dachtera
2007-09-25 00:00:27 UTC
Permalink
Post by Dan O'Reilly
It doesn't do much of anything. However, I've been doing some research
regarding ways of allowing some components (SSH being one example) of
creating packet filters in the kernel. These would likely be based on
algorithms unique to each component, so, for example, SSH could have
different filter triggers than telnet or ftp would. These packet filters
would likely be transient things; for example, the first trigger might
cause a filter enabled for 3 minutes, the second trigger for 10 minutes,
the 3rd filter trigger until a reboot is done.
Well, Multinet's Telnet functionality currently works with VMS's breakin
detection and evasion (even though interactive processes are $CREPRC'd by
MULTINET_SERVER instead of the JBC). (See the LGI* parameters in SYSGEN or
SYSMAN PARAMETERS.(

Any reason SSH wouldn't do the same?
--
David J Dachtera
dba DJE Systems
http://www.djesys.com/

Unofficial OpenVMS Marketing Home Page
http://www.djesys.com/vms/market/

Unofficial Affordable OpenVMS Home Page:
http://www.djesys.com/vms/soho/

Unofficial OpenVMS-IA32 Home Page:
http://www.djesys.com/vms/ia32/

Unofficial OpenVMS Hobbyist Support Page:
http://www.djesys.com/vms/support/
Bob Koehler
2007-09-25 13:17:47 UTC
Permalink
Post by David J Dachtera
Well, Multinet's Telnet functionality currently works with VMS's breakin
detection and evasion (even though interactive processes are $CREPRC'd by
MULTINET_SERVER instead of the JBC). (See the LGI* parameters in SYSGEN or
SYSMAN PARAMETERS.(
Any reason SSH wouldn't do the same?
I would very much prefer that SSH work with VMS' breakin code, as
it optionally starts to now, but improve both it and TELNET's
algorithm.

It's not always clear to me if SSH and TELNET correctly identify
multiple attempts from the same remote system as coming from the same
source if the connection is broken between attemtps. During security
scans I see lots of failed logins in my audit log from the scan host
but only intruder suspects, not breakin evasion.

Possibly Multinet's inclusion of the remote port as part of the
login failure information is causing failure to identify such scans
as breakin attempts. Maybe that information can be moved or at least
on option to turn it off.
Alan Winston - SSRL Central Computing
2007-09-26 02:40:08 UTC
Permalink
Post by Ken Connelly
Sounds useful! All of the timing (or use at all) would be configurable
by the local site?
Seconded! It's really pretty annoying to see several hundred breakin attempts
in a row in my audit logs; let that site's packets automatically fall on the
floor!

-- Alan
Post by Ken Connelly
Post by Dan O'Reilly
It doesn't do much of anything. However, I've been doing some
research regarding ways of allowing some components (SSH being one
example) of creating packet filters in the kernel. These would likely
be based on algorithms unique to each component, so, for example, SSH
could have different filter triggers than telnet or ftp would. These
packet filters would likely be transient things; for example, the
first trigger might cause a filter enabled for 3 minutes, the second
trigger for 10 minutes, the 3rd filter trigger until a reboot is done.
Post by Selden E Ball Jr
Gentle folk,
What, if anything, does SSHD do to detect breakin attempts?
What does it do when they are detected?
Has this been improved in recent versions of SSH?
I was noticing this morning that SSHD is using a significant
amount of CPU time responding to failing login attempts.
All of the associated logging and other resource usage can get
rather exasperating at times.
Thanks for whatever clarification can be provided.
Process Software MultiNet V5.1 Rev A-X, Digital Personal WorkStation
, OpenVMS AXP V7.3-2
With patch kit SSH-040_A051 applied.
Selden
======
Selden E. Ball, Jr.
Cornell University Voice: +1-607-255-0688
Laboratory for Elementary-Particle Physics FAX: +1-607-255-8062
LT105 R. R. Wilson Laboratory
http://www.lepp.cornell.edu/~seb/
Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS62::SEB = 44284::SEB
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who
don't." |
| http://www.process.com
| |
+-------------------------------+----------------------------------------+
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
--
===============================================================================
Alan Winston --- ***@SSRL.SLAC.STANFORD.EDU
Disclaimer: I speak only for myself, not SLAC or SSRL Phone: 650/926-3056
Paper mail to: SSRL -- SLAC BIN 99, 2575 Sand Hill Rd, Menlo Park CA 94025
===============================================================================
Loading...