RE: SSH brute force attack

["Mathew Want" <mathew.want () ac3 com au>]

Lee,

I have been seeing many SSH scans similar to this for the last 9 months. I
am reporting on average 2 a week to AusCERT. The scans I'm seeing appear to
be variants of this:

http://www.frsirt.com/exploits/08202004.brutessh2.c.php
 
I posted a few months ago asking if anyone had seen this and I got the
impression then that I was not alone in this. The scans I see tend to hit
the root password pretty hard, but just try 1 or 2 attempts at the passwords
for the scattered usernames.

Apart from black-holing the addresses in a "No SSH for you" policy on the
firewall (horse already bolted), about the only thing you can do in ensure
that you can't SSH in as root (something I highly advise anyway) and go to
strong authentication. I have used SKEY quite successfully for this and its
free  :-).

An idea I have been kicking around with a few people is using logwatch (or
similar) to add hosts.deny lines, IPTables rules or SNORT signatures after X
failed attempts (horse kicking gate) to drop the attempts  from the
offending address. I know that self defending boxes are prone to having an
inbuilt DoS "feature" due to spoofing, but seeing as the authentication does
not happen until after the key exchange for the tunnel, wouldn't this negate
the spoofed DoS "feature? Still doesn't stop evil person from DoSing the
rest of their company from your system because of a NAT'ed address on their
firewall, but this is dependant on if that is a risk to you or not (horses
for courses). I have not tried it as yet but hope to soon....

I would like to hear any suggestions or thoughts anyone may have on this....
--
Regards,
Mathew Want
ac3
Network and Security Engineer
Email:      mathew.want () ac3 com au 
URL:        http://www.ac3.com.au


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Toderick,
Lee W
Sent: Saturday, 25 June 2005 3:17 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] SSH brute force attack

Greetings!

Our computers running SSH daemons have logged attacks. The attacks begin
with a scan logged "Did not receive identification string from x.x.x.x",
followed approximately 15 minutes later with "Illegal user " or " Failed
password for root". 

Does anyone have information or documentation about this scan/attack?
Following is a list of Illegal users:
# cat secure.4 | grep "193.24.213.216" | cut -d " " -f6-12 | grep "Illegal"
| cut -d " " -f 3
sun0s
reboot
reboot
flood
irc
key
david
htpd
httpd
jared42
cchen
admin
admin
admin
admin
test
test
test
test
test
test
test
admin
akcesbenefit
b3
njproghouse
schaiderhair
perseus
guardit
phpbb
bejgli
forums
temp
eric
staff
bb
maggie
rock
sandra
kim
recruit
alina
dana
bloodclansb
jeff

Thanks,
Lee Toderick

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards