The Slow Bruteforce Botnet(s) May Be Learning 327
badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.
Re:Solution: Public Key Auth (Score:5, Informative)
Another idea, is change the port SSH uses to some a random high number, that will kill off most of them also.
Re:How do the botnets know it's OpenBSD? (Score:5, Informative)
You can infer a lot about the OS from the way it crafts it's packets. Nmap does a rather good job with host identification. I don't know all the things it does, but more or less it's a case of "Find an open port, send is various kinds of packets, see how it reacts."
Re:OpenBSD hosts make stupid targets... (Score:4, Informative)
Their code review seems to concentrate on external attacks. They have expressly derided mandatory access controls, for example, on the grounds that you've got to trust your users or you're already lost. So, OpenBSD is actually more likely to be vulnerable to such attacks than an OS with weaker reviews but superior access controls, such as Linux with the RBACS or GrSecurity patches in place. Thus, if anyone is using OpenBSD, they'd damn well better be using strong authentication.
(OpenBSD has the best strong authentication of any OS on the planet, and the best security from external attacks of any OS on the planet, but cliques of any kind are notoriously blind to any problem outside of their special interest and OpenBSD is no exception. Which is why they caught a rollicking from Slashdot when it came to failing to patch their PRNG after defects were found in the *BSD family of PRNGs. It's why you should never, ever trust a group - however good - to be good at everything.)
Re:OpenBSD vs Linux (Score:5, Informative)
ipchains is Linux's 2.2 kernel firewall protection. BSD uses 'IPF'.
No matter what system you're using, a closed port is a closed port.
I think the main selling point between the two would be that IPF is slightly better performing and that iptables has quite a few addons that make for niceness if you know about and how to use them.
Re:How do the botnets know it's OpenBSD? (Score:5, Informative)
sudo nmap -O host
will usually do the trick.
Re:How do the botnets know it's OpenBSD? (Score:1, Informative)
ssh has a version string:
$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
^]
telnet> quit
Connection closed.
Re:OpenBSD vs Linux (Score:5, Informative)
OpenBSD doesn't use ipchains -- it uses pf [openbsd.org], which many people -- myself included -- like a lot. OpenBSD is secure and easy to get routing.
The end result is the same, but pf can be easily adapted to many tricks like this, automatically blocking SSH bruteforcing [home.nuug.no].
I'd give the beginners using Ubuntu a break. They're overwhelming sometimes, but the community growing is a good thing. I'm sure someone I've introduced to Linux has needed online help (badly!), but another friend I introduced to Linux really dug in and we're now both better developers because of it. You just don't know.
Re:Economics (Score:3, Informative)
Defeating botnets is possible in theory (you need passive fingerprinting and end-system auditing capabilities at a lower level than the botnets, both of which are entirely possible). Defeating botnets is likely neither practical (the network needed to perform counter-intrusion measures would need to be double plus one the size of the botnet) nor legal (SIGINT methodologies may be ok for the NSA or GCHQ, and then with strict qualifiers, but they are not considered ok for Joe Public under any circumstances).
You'd also need serious big iron, physical access to most of the tier 1 gateways, more money than God, more signals intelligence experts than the NSA, and more firepower than the Russian mafia. Again, nothing that is technically impossible, just very very improbable. But so long as you can generate finite levels of improbability, you should be fine.
Re:Solution: Public Key Auth (Score:1, Informative)
Re:Solution: Public Key Auth (Score:2, Informative)
The moment you have a system that even has the capacity to log passwords, you have a security anti-pattern. Passwords are to be stored as per-user salted sha-2 hashes and should never be logged.
Re:Solution: Public Key Auth (Score:4, Informative)
That's absurd. The system is a honeypot. It cannot be accessed directly--you must log in to the host system to do gain access. No accounts are allowed through SSH to the jailed host, but passwords are logged for the sole purpose of gathering information on the botnet. The jail has no users other than root, and root is not permitted to log in through SSH. Hell, strictly speaking, root isn't allowed to log in at all--the jail mechanism doesn't count as a login.
It's about as secure as you can make a system which listens on TCP ports.
Re:Solution: Public Key Auth (Score:2, Informative)
It's the caffeine. They need to stop giving me anti-depressants. IT's 1:32AM and I feel too energetic for chronotherapy.
Re:Solution: Public Key Auth (Score:5, Informative)
This is all simply because they don't need to bother looking for you, there are plenty of others on 22. As well, if you know enough to change the port, you probably are resistant to brute-force attacks.
In short, you are not the intended target anyways.
Now, if everyone started doing it, they would do what they needed to hit the low-hanging-fruit again. Once again - you are not the intended target.
Re:Economics (Score:5, Informative)
I'd recommend not connecting it to any network and not installing any software if he wants the machine to be secure.
Snideness aside, yes, you can get Windows to a sensible, workable security level. Not 100%, but nothing is 100% secure. Even Raid6 systems have been seen blowing up, and even the tightest security has its cracks.
IT security is by definition the minimum of the system's capabilities and the administrator's capabilities. Not an average thereof, but the minimum of both. You can have the most secure system in the world and some stupid admin can f..k up its security beyond repair (provided it's somehow connected to the outside world). Likewise, you can be the absolute guru of computer security, you cannot secure an inherently insecure system.
Therefore just saying "use $OS and you're safe" is a dangerous misconception. No system is inherently secure, it also depends on its administrator.
You have to understand that most threats are tailored for the Windows platform, simply because it offers the largest target being the most widely used. Since all Windows machines are also mostly alike when it comes to their software makeup since critical networking programs like webbrowser or email client are part of the package, you have a fair lot of standard targets. You can be certain that a Windows installation has IE installed. Why? Because it's certainly installed in the installation routine and cannot be completely removed. Linux is much more modular and you cannot simply assume a certain browser, a certain mail client or even a certain editor being installed. This offers a much smaller target.
But still a Windows machine can be secured to sensible levels. First, put a router in front of it so no direct connection can be made to the machine from the internet. This pretty much eliminates most RPC based attacks (you might remember the worm craze of a few years ago. They're still there. There are still infected machines blasting into the internet and few providers filter that crap). Never connect a Windows machine directly to the internet. I made an experiment recently, the lifetime of a clean Windows XP SP1 machine directly connected to the net is less than one minute. Yes, I'm aware that SP1 is a bit dated, but most people got SP1 on their install CD and they usually don't know how to create one that contains the latest patches. Often, reinstalling the system only builds a new home for their problems.
So, make sure you install all critical patches before you connect the machine to the net. The Service Packs can now be downloaded and stored locally, I do highly recommend doing that. USB sticks are cheap and a quite useful tool for storing them.
Next, get an alternative browser. IE is the most attacked browser today. And with the growing market share of Firefox it became a target, too. Opera looks ok so far, at least most iframe drive by attacks don't care about it yet. This may change, though. For now, Opera would be it. Not because it's better or safer, but simply because it has a low enough market share to be off the radar of attackers.
An alternative mail client is the next thing you need. It should not be able to process HTML mails (because most mail clients that do use the engine of the IE, do the math). It has to show extensions of attachments, and it should, if possible, disable direct execution of executable files from attachments. Funny enough, the older the mail client the better, since most of the times this means fewer features that can get into the way of security. Just make sure there are no known bugs. Again, the less mainstream the client is, the better.
If you really, really have to use instant messaging, again, don't use the normal IM clients. Same reason, they're main targets for attackers. Use alternative clients, preferable with a low market share. As a beneficial side effect, they often also enable you to bundle more than one service.
An antivirus toolkit. Yes, I know, many people here don't think too highly of them, and yes, they cannot
Re:This is not a game changing tactic. (Score:5, Informative)
We like our visualizers. Our router guy has created 2. They are both GPL. We use them every day. I suppose you could consider them late Beta.
The IPVisualizer:
https://it.wiki.usu.edu/IPVisualizer [usu.edu]
gives us a real-time overview of our entire IP address space. It is particularly good for revealing reconnaissance attacks.
The Organic IP Visualizer:
https://it.wiki.usu.edu/OIP [usu.edu]
provides a focused view of the activity of a subset of our network.
Miles
Re:Solution: Public Key Auth (Score:5, Informative)
Most vulnerabilities with simple contact forms are email header injections. A malicious user will inject newlines into something like the "Subject" and then rewrite the headers and the email message itself. The headers/message the programmer intended to be inserted into the email will still be added on at the end of the message, but it's usually in the body by that time and can be hidden. Google has more info, but I can't get much to pull up right now.
---John Holmes...
Comment removed (Score:3, Informative)
Re:How do the botnets know it's OpenBSD? (Score:3, Informative)
How would the botnet know they are attacking an OpenBSD box (vs Linux or something else)?
OpenBSD runs native OpenSSH, the version number in the banner doesn't have a 'p...' extention.
Telnet 22 to an OpenBSD machine:
SSH-2.0-OpenSSH_5.1
Everything else runs a portable OpenSSH, the banner does have a 'p...' extension and likely some other info too.
Telnet 22 to a Linux machine:
SSH-2.0-OpenSSH_4.3p2 [OS version may be appended]
Re:OpenBSD vs Linux (Score:3, Informative)
ipchains is Linux's 2.2 kernel firewall protection. BSD uses 'IPF'.
OpenBSD uses PF not IPF.
FreeBSD uses PF or IPF.
Linux uses iptables. It's not been ipchains since a few major kernel versions back.
Pf rules. It's far clearer, more sensible, and more configurable than iptables.
Re:How do the botnets know it's OpenBSD? (Score:2, Informative)