Rundown on SSH Brute Force Attacks 360
An anonymous reader writes "Whitedust has a very interesting article on the recent SSH brute force attacks. The article goes into depth on how to monitor these attackes and to report them to the authorities. It also discusses various tools that are available. According to the article, mostly compromised Linux systems from outside of North America are responsible for the attacks. Even the author's DSL connection was getting break-in attempts."
As always... (Score:5, Informative)
Another step to improve security if there are very few users is just to ONLY allow public key authentication. I've never seen such a box compromised remotely.
Re:As always... (Score:5, Insightful)
Use AllowUers and only have acocunts that I want logging in. If some package/whatever creates an account and I don't know, it can't be exploited.
Any login not in that list just gets a Password: promt over and over...
If my sshd_config gets changed I'm probably going to know.
The article states "200 to 300 times per day"...
This is only one box out of 63 for one day:
Authentication Failures:
unknown (xxxx.ip.secureserver.net): 2214 Time(s)
Re:As always... (Score:5, Interesting)
The attacker then tried about 50 times to login to the new account via ssh, but wasn't in AllowUsers. Eventually the idiot gave up- most likely a script kiddie who didn't realise the potential of his initial attack.
Moral of the story? AllowUsers is a really good idea
Re:As always... (Score:5, Informative)
And running Apache as root is a Really Bad Idea (tm).
Re:As always... (Score:2)
How could it possibly be exploited? As long as the password field is * or !! and there is no authorized_keys file, then you can't login using ssh.
Re:As always... (Score:3, Interesting)
Re:As always... (Score:3, Insightful)
If you want to access your home PC use RSA/DSA keys instead. This cuts out all brute force attacks once and for all.
Alternatively use PAM/RADIUS and SecureID. You c
Re:As always... (Score:4, Informative)
I've just started disabling shell access to the users of my system by default. If they want to log in with ssh, they have to explicitly enable it from the web-based front-end.
I tried forcing public-key authentication, but I kept running into trouble when I was away from home and needed to log in from someone else's computer.
I've got some explicit rules in iptables, also, where I've been blocking entire IP blocks (ie- I've got several countries blocked completely). Whenever I notice a string of failed login attempts, I do an ARIN lookup of that IP block. So far, nearly every attack has come from korea, so I 've been blocking off those addresses as they come.
I should probably only allow ssh access to american addresses... I know one should always make time for security, but I just haven't had the time to look into how to do that.
also, I've got root login enabled only because I've got a backup script running that mirrors
Re:As always... (Score:4, Informative)
Re:As always... (Score:2)
have thumb drives improved at all in the last 5 years?
I got one when they first came out (a 32mb one). It would frequently erase itself. I'd put it in and it would be called "Untitled" and have no files on it.
I didn't have anything important on it. Just some Hotline bookmarks and a hotline client for mac and windows.
Re:As always... (Score:2, Informative)
try putting your public keys on a usb thumb drive. Toss putty on there as well, and you've got what you need no matter where you're at ;)
First of all, your public key goes onto the server you are logging into. You need your private key on the client.
Second, it isn't very secure to use your private key from an untrusted machine. What you want to use from untrusted machines are one time passwords.
Re:As always... (Score:4, Interesting)
Do you have an SMS-enabled cell phone? For an operating systems class project this spring I wrote a simple PAM module what would look up the user's cell phone number then send an eight-digit random number to the user's cell phone, which the user has to type in at the login prompt. I used this module to secure the outward-facing sshd (on port 7xxx), blocking port 22 at the firewall so I could continue to ssh around my home network without spending $0.15 every time I rebooted my laptop.
As long as your phone has a signal, you have effective token-based authentication.
Re:As always... (Score:3, Informative)
Yes, there's several. Some SSH software has S/Key support (eg OpenSSH "./configure --with-skey"). The most current S/Key implementation seems to be the one in Wietse Venema's logdaemon [porcupine.org] package.
You can also do OTP through PAM or BSDauth if your platform supports those, eg pam_skey [freshmeat.net], pam_opie (OPIE [inner.net]: One-time Passwords In Everything)
Several systems have either S/Key or OPIE support natively (OPIE seems to be becoming the more popular of the two).
Re:As always... (Score:5, Informative)
Another step to improve security if there are very few users is just to ONLY allow public key authentication. I've never seen such a box compromised remotely.
No kidding? By disallowing password authentication you've stopped the script kiddies dead in their tracks. As for disallowing root access, here are some words from [neohapsis.com] an OpenBSD developer:
Re:As always... (Score:3, Informative)
That may have been the reason you did it in the past, but it's not the reason you do it now. The reason for not logging in directly as root (or under any other shared accout, for that matter) is ACCOUNTABILITY. If you log in as root directly, all that gets logged is the host you came from. If yo
Re:As always... (Score:4, Insightful)
Re:As always... (Score:3, Informative)
Perhaps, but root is the obvious target - it's both the most powerful account, and the only one that exists on all systems. With user accounts, there's the problem of guessing a valid account name.
Re:As always... (Score:2)
Re:As always... (Score:5, Informative)
Speaking of which, why is it said not to login as root over SSH? The only plausible reason I've ever heard is that the encryption is stronger after the login is complete, so your root password is safer if you 'su' to root after logging into another account.
I think it may be due to an old vulnerability. In versions of OpenSSH earlier than 2.5, you can discover the length of the password using traffic analysis. Basically you look for the following sequence of packets:
Basically, since the x packets aren't echoed, we know that they are the password. We don't know the contents of the packets, but we now know the length of the password, which can help tremendously in brute force and dictionary attacks (we can eliminate a huge portion of the search space by only searching passwords of length x).This technique worked for both SSH-1 and SSH-2 protocols. For more detail, (and a better, more accurate description of how the vulnerability worked) you can read [openwall.com] the original security advisory.
Another problem with logging in directly as root is that you no longer can audit who is logging in as root in an environment where multiple users have root access.
What next? (Score:4, Insightful)
I think the idea is (Score:2, Insightful)
The idea is old, but the attempt is new (Score:5, Insightful)
Other Slashdot readers are reporting the same effect: a recent rise in brute-force, scripted attacks, possibly by compromised boxes.
Most accounts of all sorts remain secure simply because they're obscure, and it's tempting to be lulled by past successes. We always knew that this was possible, but the fact that somebody is actually doing it is news.
Highly annoying (Score:4, Interesting)
I have seen tons of these for 12+ months. Highly annoying. Last week I had one with over 10k connection attempts. What I need is an IDS that will just drop the remote IPs into iptables. Anyone have something like that? Of course if anyone is actually interested in reports on all the IPs, most of which usually are in .cn, I've got back logs for quite awhile. ;-P
Re:Highly annoying (Score:5, Interesting)
This has essentially ended the problem for us. It allows SSH to be wide open so out-of-the-office employees can log in from a hotel or Treo in case something bad happens and it absolutely blocks dictionary attacks.
No longer a problem.
Re:Highly annoying (Score:3, Interesting)
While this approach looks like a great solution on the surface, it can have some rather unfortunate side effects.
You want to be careful where you deploy this type of setup.
Take this example. You run a fairly successful ecommerce site in a very competitive space. One of your competitors discovers you use this method and decides they don't want you to compete with them on Googe, Y
Re:Highly annoying (Score:3)
You are right about proxies/botnets, but speaking as someone who gets a few thousand of these attacks per week, the attack script that is in current use will launch several hundred or thousand dictionary attempts all from the same IP.
When they start using botnets to assault my box, then I'll have to respond differently, but for now this solution looks beautiful.
Re:Highly annoying (Score:2, Informative)
http://www.rfxnetworks.com/bfd.php [rfxnetworks.com]
it looks through your
It works really well for me. Catches a lot of attackers.
Re:Highly annoying (Score:2)
Re:Highly annoying (Score:3)
You might want to consider DShield [dshield.org] -- it works very nicely once scripts are set up to download fresh lists and upload filtered logs for redistribution. Plus, it's free.
Re:Highly annoying (Score:3)
Run it every three minutes or so and they won't get but a few shots in.
I tried posting it here but slashdot's lameness filter won't let it through.
Re:Highly annoying (Score:2, Interesting)
I give them 2 tries in 10 seconds or 3 in 60 before they get put into the bit bucket. I then send an email to myself with the IP, times, and usernames.
Kinda fun to watch my gmail account get 4-5 of these a day.
Psst. Hey buddy. Can you spare a
Re:Highly annoying (Score:2)
Re:Highly annoying (Score:2)
Re:Highly annoying (Score:2)
Outside of that, if you're not doing so yet, why not contribute those logs to DShield [dshield.org]? More data is always good for them.
Re: (Score:2)
some of mine - 1061 today (Score:2)
218.188.8.186
218.27.88.170
Jul 15 01:00:01 www sshd[46625]: Illegal user amza from 218.27.88.170
Jul 15 01:00:06 www sshd[46666]: Illegal user ana from 218.27.88.170
Jul 15 01:00:10 www sshd[46671]: Illegal user anna from 218.27.88.170
Jul 15 01:00:15 www sshd[46675]: Illegal user anemarie from 218.27.88.170
Jul 15 01:00:19 www sshd[46677]: Illegal user anamaria from 218.27.88.170
Jul 15 01:00:25 www sshd[46679]: Illegal user analusia from 218.27.88.170
Jul 15 01:00:30 www sshd[46684]: Illegal user ana
Easy fix (Score:4, Informative)
Re:Easy fix (Score:2)
Re:Easy fix (Score:2)
Re:Easy fix (Score:2)
No wonder this guy posts as an AC. The file name really is sshd_conf.
Re:Easy fix (Score:2)
Re:Easy fix (Score:3, Interesting)
Re:Easy fix (Score:5, Informative)
DenyHosts (Score:5, Informative)
Lately I have been getting atleast 1 hack attempt a day on my personal computer connected to the internet over a cable connection. On weekends I get more.
Just this morning I had two ssh dictionary attacks. DenyHosts caught them both.
Re:DenyHosts (Score:3, Interesting)
Seems like a similar idea to DenyHosts, just a different implementation.
Re:DenyHosts (Score:2)
However, I'm trying to run it on Debian Woody and I'm getting this:
So maybe it's not so great. :-)
Re:DenyHosts (Score:2)
I get these almost continually... (Score:2)
If they bother you, you could always use portsentry or something similar to block the IP once a certain number are received.
Re:I get these almost continually... (Score:2, Funny)
Guy Says Recent Attacks?? (Score:2)
Haven't these ssh-based attacks been going on since sometime like July of 2004?
The deal was that there was a SSH vulnerability in non-OpenBSD implementations of sshd. The automated stuff kicked off then -- and they've gotten a bit worse in the last few months.
Re:Guy Says Recent Attacks?? (Score:2)
Protocol 2
LoginGraceTime 12
PermitRootLogin no
MaxAuthTries 2
Non-default Port (Score:3, Informative)
Re:Non-default Port (Score:2, Informative)
Re:Non-default Port (Score:3, Interesting)
Attacks are a sad reminder on stupidity (Score:3, Informative)
I got annoyed enough that I wrote a little script to pull the data out of my logs in real time and add an entry to my firewall, but the attacks are harmless to any sysadmin with a clue.
-Matt
Re:Attacks are a sad reminder on stupidity (Score:2)
Use another port (Score:5, Informative)
Re:Use another port (Score:2)
Re:Use another port (Score:2)
Re:Use another port (Score:3, Informative)
# Protect against DOS attacks - rate limit various ICMP messages
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST -m limit --limit 1/s -j ACCEPT
Re:Won't work (Score:3, Informative)
Changing the port does work. I went from having hundreds of attacks a day to zero. Not a single attempt in months.
Re:Won't work (Score:2)
Running services that don't need to be open to a wide variety of people on a non-standard port is generally a good idea. It's not a replacement for properly securing your services (obscurity never is), but it's another layer on top that can't hurt.
For that matter, do look in
iptables "recent" rule (Score:2)
Mitigating against SSH brute force attacks using Netfilter and the recent module [andrew.net.au]
surprising, just May 2005 (Score:3, Insightful)
BlockHosts (Score:2)
Automation (Score:2)
why not disable passwords entirely? (Score:5, Informative)
Re:why not disable passwords entirely? (Score:3, Informative)
care with remote hosts (Score:2)
It's also important to revoke keys if the client machine is stolen or otherwise compromised, although passphrases help in this situation.
Re:why not disable passwords entirely? (Score:2)
Bruce Schneier talks about similar security-defeating effects of secret questions [schneier.com].
Reporting is useless (Score:2)
We use sshd_sentry which puts the IP address into the hosts.deny list for 24 hours after five failed attempts. This eliminates the problem completely and it doesn't fill up our logs with useless trash.
I am thinking of doing the same thing for relay attempts because that seems to have become the new sport. One reject you would think would be quite sufficient, but no, we're getting a hundred or more reque
Especially Comcast NJ (Score:2)
I've gone back and forth with Comcast but the upshot is: Pound Sand.
As a result I banned his entire ip range. I had to, his password attacks were coming too fast & blocking out legit clients. This action took out 255 innocent customers of Comcast NJ - but's that's the risk of subscribing to a rogue ISP.
add AllowUsers to /etc/ssh/sshd_config (Score:4, Insightful)
AllowUsers unprivguy *@*.mydomain.com *@localhost
You still see the attempts in your logs, but now you also see:
User root not allowed because not listed in AllowUsers
Brute force attacks (Score:2)
Dynamically blocking with iptables (Score:4, Informative)
Here are the iptables rules I use to dynamically stop this kind of thing (with a good degree of success):
# SSH
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j DROP
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT --to-destination $INTERNAL:22
-A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination $INTERNAL:22
Your mileage may vary. This blocks attempts for 1 minute after 3 attempts (successful or failed, so if someone forgets their password, they may trip it as well).
Re:Dynamically blocking with iptables (Score:2)
Re:Dynamically blocking with iptables (Score:2)
Mmm... (Score:2)
Every day I get two or three new attackers, most of whom try 50-60 times on common account names (fred, jeff, user, test etc.) and about one a week that goes full-bore for a particular username or a large spread of a few thousand attempts.
I took the appropriate measures... disallowed root login, use public-key authenti
They actually got in on my parent's computer (Score:5, Interesting)
I analyzed the system, and quickly determined that the person was not a big time hacker. Looking at his
Since he made no effort to cover his tracks or avoid detection, either this script-kiddie didn't know how to, or had so many computers to manage it wasn't worth his while to do so.
First, I put ssh on another port, then... (Score:4, Interesting)
I sleep just fine now.
These have been going on for a long time (Score:4, Informative)
APF and BFD can be got here: RFX Networks [rfxnetworks.com].
20th Century Authority (Score:5, Insightful)
The authorities
Better we should self-organize our collective defense.
Peer-to-peer government -- making the nation-state obsolete, one node at a time
-kgj
Re:20th Century Authority (Score:2)
Thanks (Score:2)
Thanks, made my day.
In the interest of journalistic balance, it should be noted that I've posted plenty of asinine, ill-thought-out comments in the past five years.
But I recognized the Authority post as a keeper, the moment the idea came to me. So, thanks again for your affirmation.
-kgj
sshdban.sh (Score:2)
Once a month or so, I check the list of banned IPs & manually report U.S. ones to the relevant abuse@ email addresses (figuring that they can de-zombify the boxes.
Why do people use ssh with passwords? (Score:2, Insightful)
Recent? (Score:2)
Traced one attack from a Windows box in an Ohio school.
Comment removed (Score:3, Informative)
Re: (Score:2)
Tiger Server (Score:2)
Oh yeah, and I (manually) set their shell to
Last, Tiger doesn't have passwords for any of the standard unix accounts, so no amount of dictio
SSHBlack works well (Score:2)
For me, since I run shorewall, I changed one line to run shorewall drop instead of adding its
Got nailed by something like this about a year ago (Score:2)
I had installed DB2, and used db2admin/db2admin as the default account. Win32 box, but was undead by the time I got back from a roadtrip. Not only do you need to make sure your passwords are strong, but avoid the 'common' passwords folks will set up for a dev account. Looking at my firewall logs for the last year just confirms how fast you will go down if you use a simple/common account and password.
Re: (Score:2)
My box was compromised by this (Score:4, Interesting)
I got up in the morning and looked at my logcheck emails. It was odd: there were messages saying the ethernet card had entered promiscuous mode, and several kernel modules loaded. Further investigation revealed two connections to remote port ircd, but netstat wouldn't show the process ID(s) that owned this connections. The machine was in a mess: I couldn't run man, or gzip (needed by the apt-get process) and several other key commands as they immediately seg faulted. Rebooting resulted in the same issues: ethernet card in prom. mode, etc. Perhaps a packet sniffer was running on my networking looking for passwords to upload.
My problems started when I created an account for a friend and gave it a weak password without making him change it. The ssh dictionary attack broke in that way. Furthermore, I wasn't running a normal Debian kernel. Instead one that somebody else had created with MPPE support (it would be nice after all these years if one could have MS-CHAP support for PPP straight out of the box). I hadn't kept tabs on the kernel notices and ensured that this kernel was ok with them - it hadn't been updated for at least a year. Thus the script that broke in via SSH was able to exploit a local security hole and elevate privileges - game over.
I write all this as a reminder to people to take care. Debian is fairly secure if you use standard packages and keep them up to date. I'm generally quite carefull about what I install, which services run, what ports are exposed to the internet, keeping and eye on it, etc. Two careless mistakes and I had to rebuild the system and change all my passwords - thankfully nothing more. Be warned.
Re:Linux is still a secure OS tho, (Score:2)
Youre, right, this has NOTHING to do with Linux. (Score:2, Interesting)
Do people on slashdot NOT know what a brute force / dictionary / wordlist attack is??? It is an attempt to connect to a service, using a
Re:Youre, right, this has NOTHING to do with Linux (Score:2)
Re:No root login? (Score:2)
I can see your argument and tried to think of a few counter-arguments.
If someone can only get to root by coming in as a normal user and su-ing, then we should know which account they came from and hold that user responsible.
Not all SSH accounts are necessarily for admin users anyway (compile farms, cgi hosting, VPN's etc.), so blocking root on those connections doesn't hinder anyone and the users will not be able to get to root an
Re:No root login? (Score:2)
If you disable root logins, then they can't get hold of the admin account... Although your use of "an" admin account suggests that you mean someone other than root who can write to the system binary locations -- that seems like a bad idea anyway, and is unrelated.
Re:I've seen many SSH break in attempts myself. (Score:2)