I'd have to say that a DoS against your users is highly unlikely given the type
of attack that is occuring based on the logs you have posted; only 3 attempts
per username before moving on to the next account. Why? Most sensible admins
would configure MaxAuthTries in /etc/sshd_config to a value of 3, max. This
limits the attacker to a finite number before having to move on to the next
account to attack preventing their scripts from focusing on a single account.
IMO, what you have is a plain and simple brute force attempt that has 2 obvious
goals in mind: 1) determing valid accounts 2) looking for weak passwords
associated to those accounts.
Simply changing your sshd listening port is a very small step in securing your
host when looking at it from the big picture. Most would argue, and I would
wholeheartedly agree, that it is security through obscurity.
Recommendations:
1) run on a different port - slows down an attacker temporarily (as witnessed)
2) use an external authentication source - radius/rsa configured via PAM modules
3) PublicKey Authentication
4) Port Knock Sequencing authentication using IPTables (*relatively* new to the
white hat community, but around for quite some time).
5) Possibly create a chroot jail for your users
Using some of the aforementioned recommendations will help in stopping brute
force attempts from becoming a nightmarish reality :)
All sensible comments welcome!
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
