Rundown on SSH Brute Force Attacks 360
An anonymous reader writes "Whitedust has a very interesting article on the recent SSH brute force attacks. The article goes into depth on how to monitor these attackes and to report them to the authorities. It also discusses various tools that are available. According to the article, mostly compromised Linux systems from outside of North America are responsible for the attacks. Even the author's DSL connection was getting break-in attempts."
Highly annoying (Score:4, Interesting)
I have seen tons of these for 12+ months. Highly annoying. Last week I had one with over 10k connection attempts. What I need is an IDS that will just drop the remote IPs into iptables. Anyone have something like that? Of course if anyone is actually interested in reports on all the IPs, most of which usually are in .cn, I've got back logs for quite awhile. ;-P
Re:Highly annoying (Score:5, Interesting)
This has essentially ended the problem for us. It allows SSH to be wide open so out-of-the-office employees can log in from a hotel or Treo in case something bad happens and it absolutely blocks dictionary attacks.
No longer a problem.
Re:Easy fix (Score:3, Interesting)
Re:As always... (Score:3, Interesting)
I take security seriously, but a momentary lapse of judgement, and my machine was compromised. If the idiots hadn't changed the password I might not have noticed for several days. Just an illustration of how vulnerable the internet is, even if you think you are careful and know what you are doing.
Ben
Re:DenyHosts (Score:1, Interesting)
Re:As always... (Score:5, Interesting)
The attacker then tried about 50 times to login to the new account via ssh, but wasn't in AllowUsers. Eventually the idiot gave up- most likely a script kiddie who didn't realise the potential of his initial attack.
Moral of the story? AllowUsers is a really good idea
They actually got in on my parent's computer (Score:5, Interesting)
I analyzed the system, and quickly determined that the person was not a big time hacker. Looking at his
Since he made no effort to cover his tracks or avoid detection, either this script-kiddie didn't know how to, or had so many computers to manage it wasn't worth his while to do so.
First, I put ssh on another port, then... (Score:4, Interesting)
I sleep just fine now.
Youre, right, this has NOTHING to do with Linux. (Score:2, Interesting)
Do people on slashdot NOT know what a brute force / dictionary / wordlist attack is??? It is an attempt to connect to a service, using a random or scripted password and username generator or a list of commonly used ones (root and administrator on various systems obviously comes to mind.)
Most people use SSH without redirecting it through a trusted tunnelling protocol or connection. There are many ways to secure even the most trivial home network.
A word to the wise... instead of clicking okay and next mindlessly when installing your OS, start making a practice of READING the warnings and learning something... it should keep the brown fat cells from drowning out your otherwise idle brain as you get older. (IANAMS - I am not a med student, but so I've heard)
-DaedalusHKX
Re:Highly annoying (Score:2, Interesting)
I give them 2 tries in 10 seconds or 3 in 60 before they get put into the bit bucket. I then send an email to myself with the IP, times, and usernames.
Kinda fun to watch my gmail account get 4-5 of these a day.
Psst. Hey buddy. Can you spare a
Re:Non-default Port (Score:3, Interesting)
Re:Highly annoying (Score:1, Interesting)
Nothing more than a simple little cat/grep/awk tally script, but it does the job for the home server.
I've been running it thru cron at rather short intervals for 6 months now, and dropped 340 ips into hosts.deny.
Simple iptables-only port knocking for Linux (Score:1, Interesting)
Re:Highly annoying (Score:3, Interesting)
You want to be careful where you deploy this type of setup.
Take this example. You run a fairly successful ecommerce site in a very competitive space. One of your competitors discovers you use this method and decides they don't want you to compete with them on Googe, Yahoo etc. They setup a script that bangs on your box once a day spoofing all the known bot IP addresses. After a while you will start to wonder why you aren't in the indexes any longer.
That's pretty nasty business, but if you think people wont do it, you underestimate your competitors.
Re:DenyHosts (Score:3, Interesting)
Seems like a similar idea to DenyHosts, just a different implementation.
Re:Highly annoying (Score:2, Interesting)
My box was compromised by this (Score:4, Interesting)
I got up in the morning and looked at my logcheck emails. It was odd: there were messages saying the ethernet card had entered promiscuous mode, and several kernel modules loaded. Further investigation revealed two connections to remote port ircd, but netstat wouldn't show the process ID(s) that owned this connections. The machine was in a mess: I couldn't run man, or gzip (needed by the apt-get process) and several other key commands as they immediately seg faulted. Rebooting resulted in the same issues: ethernet card in prom. mode, etc. Perhaps a packet sniffer was running on my networking looking for passwords to upload.
My problems started when I created an account for a friend and gave it a weak password without making him change it. The ssh dictionary attack broke in that way. Furthermore, I wasn't running a normal Debian kernel. Instead one that somebody else had created with MPPE support (it would be nice after all these years if one could have MS-CHAP support for PPP straight out of the box). I hadn't kept tabs on the kernel notices and ensured that this kernel was ok with them - it hadn't been updated for at least a year. Thus the script that broke in via SSH was able to exploit a local security hole and elevate privileges - game over.
I write all this as a reminder to people to take care. Debian is fairly secure if you use standard packages and keep them up to date. I'm generally quite carefull about what I install, which services run, what ports are exposed to the internet, keeping and eye on it, etc. Two careless mistakes and I had to rebuild the system and change all my passwords - thankfully nothing more. Be warned.
Re:As always... (Score:4, Interesting)
Do you have an SMS-enabled cell phone? For an operating systems class project this spring I wrote a simple PAM module what would look up the user's cell phone number then send an eight-digit random number to the user's cell phone, which the user has to type in at the login prompt. I used this module to secure the outward-facing sshd (on port 7xxx), blocking port 22 at the firewall so I could continue to ssh around my home network without spending $0.15 every time I rebooted my laptop.
As long as your phone has a signal, you have effective token-based authentication.