Security Basics mailing list archives
Re: SSH server under attack...
From: Daniel Cid <danielcid () yahoo com br>
Date: Fri, 10 Feb 2006 12:48:01 -0300 (ART)
Take a look at the OSSEC HIDS. It analyses sshd logs, firewall logs, ids logs, etc. It execute responses based on the rules, so you can block automated scans (via iptables ,ipfilter, hosts.deny, etc). It also performs integrity checking and rootkit detection.. More info: http://www.ossec.net/hids/ Thanks, Daniel B. Cid --- Juan Hernandez <hvjuan () kanux com> escreveu:
Hey there... What if there is some 'automated daemon' running thru the logs and once it sees an ip address doing this, add a chain to iptables? I did this in python about a year ago, reading the logs once every hour -cron process- and if someone tries to log with at least 5 diffent users, it adds a chain to my iptables settings and that's it, the attacker is blocked Also, there are many open source tools that might do a similar task Juan Isaac Perez wrote:All of your users connect by ssh? If only admins need to connect you can change theconfiguration toonly allow one ssh user to connect, with aextrange name. At least youwill be sure that the user never will be in acommon list.And after you can su to the user you want. Alsoo you can contact to the ISP of the serversthat attacks you, I dothat, and sometimes works. Alsoo you can configure tcpwrapers,or any softwaresimilar, to closeand discard any connection when a ip try toconnect so many times.En/na Dave ha escrit:My SSH server has been under DoS and I cant stopit!!!I changed the port of the SSH server from 22 to2222. This isnt going toreally do much but it would stop some automatedscript that attacks port22. OK...within a few hours the server was beingattacked again on port2222. This is an *active* attacker, active inthat he is activelymonitoring what he is doing. The router/firewalllogs dont show anydropped packets sent to port 22 so he changed theport of the attackscript. Now, the new machine to attack me is200.55.192.29. This belongsto a company in south america called 'SpringsSouth America TextilesLtda.'. I scanned the machine and found that itis hosting a webserver(Apache/2.0.52 (Fedora) Server at www.springs.cl)among other services.The last machine the attacker used to brute_forceme was also an apacheserver (rh linux). So this attacker is crackingvarious webservers (mostlikely) or some other service on these boxes inorder to use thesemachines as an attack platform. Now, yes, inotified the admin of thiscompany etc..but think of this. If this admin isgoing to put an*unused* and unprotected server on the net thenwhat kind of admin ishe? Will he even care about my email? Who knows!Calling the authoritiesis not going to work 'cause frankly I am anobody...who cares if myservers are under attack! No one is going towaste resource (money) intrying to find this guy, so really its up to me.So what do we knowabout this guy? At first the info seemsconflicting: He has the abilityto crack a number of random servers and use themat his disposal but heis running the same stupid attack over andover...why? First off, theattack is a brute force attack. He is trying toguess a usernamepassword combo in order to be able to log into myserver and get shellaccess...but maybe not. Like I said..he is nodummy. So what is hedoing? I think DoS (denial of service) , thebrute force tool is justthe means to an end. He isnt trying to break inby doing this. Maybe hecoudnt break in to my server so he is resortingto the next trick up hissleeve. By having all these machines attemptingto log into my serverover and over he might be trying to use up mybandwidth in effectcausing a DoS to anyone! OR...In closely lookingat the logs you willnotice something *unusual*: Failed password for invalid user admin from::ffff:200.55.192.29 port34182 ssh2 Invalid user admin from ::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port34679 ssh2 Invalid user admin from ::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port34752 ssh2 Invalid user administrator from::ffff:200.55.192.29Failed password for invalid user administratorfrom ::ffff:200.55.192.29port 35253 ssh2 Invalid user administrator from::ffff:200.55.192.29Failed password for invalid user administratorfrom ::ffff:200.55.192.29port 35735 ssh2 Invalid user administrator from::ffff:200.55.192.29Failed password for invalid user administratorfrom ::ffff:200.55.192.29port 36237 ssh2 Invalid user tads from ::ffff:200.55.192.29 Failed password for invalid user tads from::ffff:200.55.192.29 port36703 ssh2 Invalid user tads from ::ffff:200.55.192.29 Failed password for invalid user tads from::ffff:200.55.192.29 port36813 ssh2 Invalid user tads from ::ffff:200.55.192.29 Failed password for invalid user tads from::ffff:200.55.192.29 port37332 ssh2 Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid user tip from::ffff:200.55.192.29 port37820 ssh2 Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid user tip from::ffff:200.55.192.29 port38267 ssh2 Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid user tip from::ffff:200.55.192.29 port38757 ssh2 Invalid user myra from ::ffff:200.55.192.29 Failed password for invalid user myra from::ffff:200.55.192.29 port38844 ssh2 Invalid user myra from ::ffff:200.55.192.29 Failed password for invalid user myra from::ffff:200.55.192.29 port39333 ssh2 Invalid user myra from ::ffff:200.55.192.29 Failed password for invalid user myra from::ffff:200.55.192.29 port39812 ssh2 Invalid user jack from ::ffff:200.55.192.29 Failed password for invalid user jack from::ffff:200.55.192.29 port40312 ssh2 Invalid user jack from ::ffff:200.55.192.29 Failed password for invalid user jack from::ffff:200.55.192.29 port40787 ssh2 Invalid user jack from ::ffff:200.55.192.29 Failed password for invalid user jack from::ffff:200.55.192.29 port40893 ssh2 Invalid user sya from ::ffff:200.55.192.29 Each user name was tried three times. What doesthismean...I dont know but right off hand I wouldguess that he is trying tolock out legit user accounts. You see someservers will disallow a userto log in if they entered three wrong passwords.This, strangely enough,is used to help stop brute forcing!!! Anyway, Theattacker has puttogether a list of *potential* user names that*might* be found on myserver and is attempting to lock them out...ineffect creating a DoS toany users whose names appear on this list.
=== message truncated === _______________________________________________________ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: SSH server under attack... Matt Alexander (Feb 01)
- Re: SSH server under attack... Matt Smith (Feb 01)
- <Possible follow-ups>
- Re: SSH server under attack... Daniel Cid (Feb 10)