Firewall Wizards mailing list archives
RE: SSH brute force attack
From: "Mathew Want" <mathew.want () ac3 com au>
Date: Fri, 1 Jul 2005 10:28:58 +1000
Lee, I have been seeing many SSH scans similar to this for the last 9 months. I am reporting on average 2 a week to AusCERT. The scans I'm seeing appear to be variants of this: http://www.frsirt.com/exploits/08202004.brutessh2.c.php I posted a few months ago asking if anyone had seen this and I got the impression then that I was not alone in this. The scans I see tend to hit the root password pretty hard, but just try 1 or 2 attempts at the passwords for the scattered usernames. Apart from black-holing the addresses in a "No SSH for you" policy on the firewall (horse already bolted), about the only thing you can do in ensure that you can't SSH in as root (something I highly advise anyway) and go to strong authentication. I have used SKEY quite successfully for this and its free :-). An idea I have been kicking around with a few people is using logwatch (or similar) to add hosts.deny lines, IPTables rules or SNORT signatures after X failed attempts (horse kicking gate) to drop the attempts from the offending address. I know that self defending boxes are prone to having an inbuilt DoS "feature" due to spoofing, but seeing as the authentication does not happen until after the key exchange for the tunnel, wouldn't this negate the spoofed DoS "feature? Still doesn't stop evil person from DoSing the rest of their company from your system because of a NAT'ed address on their firewall, but this is dependant on if that is a risk to you or not (horses for courses). I have not tried it as yet but hope to soon.... I would like to hear any suggestions or thoughts anyone may have on this.... -- Regards, Mathew Want ac3 Network and Security Engineer Email: mathew.want () ac3 com au URL: http://www.ac3.com.au -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Toderick, Lee W Sent: Saturday, 25 June 2005 3:17 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] SSH brute force attack Greetings! Our computers running SSH daemons have logged attacks. The attacks begin with a scan logged "Did not receive identification string from x.x.x.x", followed approximately 15 minutes later with "Illegal user " or " Failed password for root". Does anyone have information or documentation about this scan/attack? Following is a list of Illegal users: # cat secure.4 | grep "193.24.213.216" | cut -d " " -f6-12 | grep "Illegal" | cut -d " " -f 3 sun0s reboot reboot flood irc key david htpd httpd jared42 cchen admin admin admin admin test test test test test test test admin akcesbenefit b3 njproghouse schaiderhair perseus guardit phpbb bejgli forums temp eric staff bb maggie rock sandra kim recruit alina dana bloodclansb jeff Thanks, Lee Toderick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: SSH brute force attack Paul Melson (Jul 01)
- <Possible follow-ups>
- Re: SSH brute force attack Mark Tinberg (Jul 01)
- RE: SSH brute force attack Mathew Want (Jul 01)
- Re: SSH brute force attack David Ross (Jul 05)
- Re: SSH brute force attack Marko Jakovljevic (Jul 06)
- RE: SSH brute force attack Mark Ness (Jul 18)
- Re: RE: SSH brute force attack Mark Ness (Jul 21)
- Re: RE: SSH brute force attack Christine Kronberg (Jul 21)