The Low-Intensity, Brute-Force Zombies Are Back 203
Peter N. M. Hansteen writes "In real life, zombies feed off both weak minds and the weak passwords they choose. When the distributed brute-force attempts stopped abruptly after a couple of months of futile pounding on ssh servers, most of us thought they had seen sense and given up. Now, it seems that they have not; they are back. 'This can only mean that there were enough successful attempts at guessing people's weak passwords in the last round that our unknown perpetrators found it worthwhile to start another round. For all I know they may have been at it all along, probing other parts of the Internet ...' The article has some analysis and links to fresh log data."
why are passwords even allowed? (Score:5, Informative)
Anyone with passwords turned on is not secure IMHO
Re: (Score:3, Informative)
IMHO if the passwords are strong enough there is nothing to worry about, unless you get pissed off with flooded log files and the waste of bandwidth.
None of my systems allow passwords via ssh
Exactly, using public key authentication and disabling PAM/Password authentication solves the problem.
and I run log-guardian.pl to "3 strikes - you're out" the idiots who do the brute-forces by putting them into iptables
sshguard is nice too, they will be firewalled in no time. (watch out for DoSs though)
However, it is not just ssh. Http and servers also suffer a lot from automated breakin attempts.
Anyway.. I'm glad services running on port 22 are not in the same security leve
Passwords are a terrible idea (Score:3, Informative)
The problem is that most users are not capable of choosing a strong password. Even when you try to enforce policies about minimum password strength, users will manage to choose weak passwords; aside from the world's most common password (password1), there are plenty of people who use their own username as a password -- and requiring non-alphanumeric symbols won't stop them: jane123 will just becomes j@ne123. Minimum password leng
Re: (Score:3, Interesting)
If you only allow public key authentication then there's really no need to bother blocking them: you'll never block the entire botnet.
Just let them try - they'll never guess the right private key.
Re: (Score:2)
If there's a bug on in openssh (Score:2)
... then there's no need to bruteforce it, and therefore blocking a botnet doing that is futile.
Re: (Score:2)
Re: (Score:2)
And if you have a three try block then you may still decrease the effectiveness of a botnet unless you are the specific target of the botnet.
But some bots are actually stupid enough to run the same list of passwords on every node, so it may work really well.
It's more the question of making your site less attractive than other sites on the net.
A hack for /etc/sysconfig/iptables to take care of the problem.
Re: (Score:3, Insightful)
grep -v for the win!
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Re: (Score:3)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
I'm still a bit nervous about allowing malicious third p
Re: (Score:2)
From a quick look at fail2ban it looks like one of it's features is that the blocking only lasts until the next log rotation.
It's configurable, you can select any period of time for the ban to remain in effect.
I'm still a bit nervous about allowing malicious third parties to effectively write firewall rules for me.
That I completely understand. It's not without its potential hazards, but I think the benefits outweigh them.
some of us don't really know where the next legitimate connection is going to come from
I've been thinking about something like a variant on port knocking, wherein a machine would be make several connections attempts to a non-existent service port from source ports whose numbers add up to some magic number. Filtering would then be disabled for the life of that connection. Maybe someone's already done it
Re: (Score:2)
If you just want to keep the logs cleaner and avoid the bot attacks, you can just run your server on another port.
Re: (Score:2)
Re: (Score:2)
Interesting. I run an sshd on a non-standard port, and have yet to see this behavior.
I'll keep an eye out, though.
Re: (Score:2)
(We run public key only authentication, with SSH on a nonstandard port. The former is a bit of a PITA, but the latter is a simple change.)
Re: (Score:2)
I only allow public key connections, and am only listening on port 2022 (I have no issues telling the world that).
My auth.log is completely empty of password attempts. Am I missing something simple-stupid or is the bot net only going after port 22?
Re: (Score:2, Insightful)
Re: (Score:2)
Something interesting about your usage of tcp/2022. I did the same thing recently on an occasion when I could not use tcp/22, since it seemed an obvious choice. Probable most automated attacks only concentrate on tcp/22 (the obvious target and if you can move it, you probably know enough to secure it properly), but I've been wondering if someone might start considering scanning on 2022 or any other "obvious" choice.
Right now it seems that nobody is scanning for them, but is anyone else setting ssh servers o
Re: (Score:2)
Likewise - I use fail2ban with iptables to drop any packets from someone who fails auth about 5 times in a few minutes. I've toyed with the idea of adding them to a global blacklist for all servers in all locations, but in reality this solution works just fine.
fail2ban and firewall won't help with this attack (Score:2, Redundant)
Likewise - I use fail2ban with iptables to drop any packets from someone who fails auth about 5 times in a few minutes. I've toyed with the idea of adding them to a global blacklist for all servers in all locations, but in reality this solution works just fine.
If you RTFA, they tell you that these attacks are coming from different machines, presumably so they don't trip such things as fail2ban et al.
Looking at the logs he supplied, this is a _very_ slow attack, the attempts are many seconds, or even minutes apart. You would have to have a very guessable username / password combination for it to work.
I would comment though that I'm not seeing anything like this attack in my logs. I personally use IPTables rules (using hashlimits) to limit 1 connection / IP per m
Re: (Score:2)
I'm using fail2ban and it configurably allows you to set how long you want to ban, and permanently isn't the default.
You must be thinking of some other tool
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:2, Interesting)
I disagree. I both cases, password auth or key auth, barring any security problem with the protocol, the weakest link is the user. A passphraseless ssh key is tempting to the user for many reasons and unless you audit the passphrases selected by your users, key auth is no more secure than password auth. In fact password auth may actually be more secure if you enforce complexity on the system(s). You have no control over the passphrase on a u
Re: (Score:2)
I think you over estimate the security of passwords.
You admit that the weakest link is the user.
Passwords are very dependent on the user. They are generally selected by the user and if any of your users recycled a username password pair from http://www.google.com/search?ie=UTF8&q=myspace1.txt.bz2 even though they are eight characters with a letters and numbers and mixed case they are essentially known.
Passwords depend on users not recycling username password pairs that have have been phished.
I will admi
Re: (Score:2)
s/mod_usb/pam_usb/
Time to head to bed.
Re: (Score:2)
Don't go spouting nonsense like that! Storing SSH keys is only as secure as the physical security of the client. If you're travelling (esp international) and need remote access to servers, passwords are the only way to go.
Your keys are password protected on the client...
Re: (Score:2)
Or they should be. Unfortunately, there are a lot of "how-to"s on the web that use a null key passphrase to make scripting easier. That openssh allows this is a problem, but lots of people have written scripts that depend on it.
Re: (Score:2)
Of course you get the best of both worlds with ssh-agent. Secure passphrase, and no keyboard input for scripts.
Re: (Score:2)
Right. ssh passphrases are a PITA, so people don't use them.
But that doesn't have to matter, since anyone with any sense is storing their .ssh directory in an encrypted partition anyway. Along with their browser history, local copies of their email, and so forth. Why password-protect just one type of sensitive data, when you could protect everything at once?
Re: (Score:2)
I've commented about that SSH/VPN idea somewhere else here [slashdot.org].
What is the advantage of having an extra VPN in terms of SSH usage?
(I know there are other advantages, but you seem to imply that's just to allow SSH access from everywhere but a list of known addresses)
Poor Odds (Score:5, Informative)
How-to (Score:5, Informative)
Re: (Score:2)
We did remapped SSH to a higher unused port and then took it a step further blocking access to that port on the hardware firewall from every IP address except for the office. If I need to connect to the server, I first have to connect to an OpenBSD box in the office.
We have 3 - 4 PCI scans a day (seems like every payment gateway we support for our clients scans the server daily. None of them even see SSH.
Story of low hanging fruit (Score:2)
For some reason the guy that was looking after what should have been a simple mail server and incredibly basic web server decided to change things so that everyone with a mailbox had shell access. Then he put a compiler on there. Then, sick of having to "su" all the time he changed the permissions of everything in
I should add (Score:2)
Re: (Score:2)
"chmod 777" = justifiable homicide
Re: (Score:2)
You're right, it is called Remote Login (in System Preferences, Sharing, Services). However, as others have said, it is off by default.
Not seeing it yet (Score:4, Funny)
Re: (Score:2)
A fair point. I've set up on our production servers two lists for ipset [netfilter.org], one each for China and Korea. Bullshit accesses to SSH and HTTP dropped way way off once I did that.
With 719 unique CIDR blocks for China and 430 for Korea, we get a lot less garbage traffic to our servers. Worth the hour it took to set up, too.
Oh... (Score:5, Funny)
[puts shotgun down]
Re:Oh... (Score:4, Informative)
[puts shotgun down]
Don't be so hasty. There are real people herding the zombies.
Re: (Score:2)
So the real question is... (Score:2)
Re: (Score:2)
I know you're joking, but just ask Woody [cnn.com], he knows what to be scared of.
Protect yourself (Score:5, Informative)
Use SSH keys in addition to passwords. Disable ssh root logins. Use the AllowUsers command in sshd_config to restrict what accounts can log in with ssh. Edit /etc/hosts.deny and add IP ranges [iana.org] for where you are unlikely to login from. Use iptables rules to block people [itwire.com] who are hammering your ssh server from the same address. Use tools like Fail2ban [fail2ban.org] and DenyHosts [sourceforge.net] to block other abusers and share abuser information with other victims.
disabling root login is idiotic (Score:2)
It's security theater.
There are good reason for allowing (private key only) root login, allong with autorized_keys command= directives.
Furthermore password+ssh keys is rather pointless.
Re: (Score:2)
Is that good reason: You're an idiot?
Re: (Score:2)
While there might be good reasons to allow root access with a restricted key, that's hardly wise and there usually there is no need to do so.
As for the pointlessness of keys AND password, I think you're rather uncreative. There are a few uses of that scheme, the first one to come to my mind is a random password tightly controlled by the IT staff and periodically changed (and the user can do nothing about that) plus a key, under user control. The password allows enforcement of the security rules and insures
Re: (Score:2)
Unless the root access is restricted to a single command - e.g. rsync for backups, scripts to generate checksums on bin and lib dirs, etc.
Needless to say, this should be run only from a secure host that has no inbound services except, if necessary, ssh.
Re: (Score:2)
Until your account is compromised and the attacker can now ssh into your other accounts without having to enter a password. I'd rather have to enter the password when the key is used. Better safe than sorry.
Re: (Score:2)
Wouldn't a passphrase on the key itself be better in that case?
If the account is compromised (Score:2)
it's compromised.
And having to type a password too often is not added security, because it only adds minimal, easily circumvented security in the rare case where you're already fucked, but it annoys the hell out of users *all* the time, causing them to have unsafe practices.
Re: (Score:2)
No its not. Disabling root logins means the attacker has to brute force the username as well as the password, thus increasing the chances of the attack failing by a power of two. In actuality it is even more effective, as the attacker will usually try "root" and move on.
Same rationale exists on Windows. If you don't rename the "Administrator" account on setup, (or create a new admin account with a different name and delete the old one if you have a pre-installed box) you are asking for a world of hurt.
Even
Go ahead, brute force a private key (Score:2)
Good luck with that.
Re: (Score:2)
Look up defense-in-depth and the reasons it is used. Encrypted keys may be the strongest link in the chain, but if they are the only defense you have then you are SOL the instant a vulnerability is discovered.
Why would you sit back after implementing private key access without any further consideration to the other techniques for making ssh even safer? For home servers this is probably sufficient, but if it is your job to secure systems then this would be negligence - possibly criminally so, depending on th
Because security is a trade-off (Score:2)
And forcing users to go through hoops for a negligeable gain in security is worse than nothing.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:2)
If you don't have a password as well then if your account is compromised the attacker will be able to access your accounts on other servers without entering a password. I know generating a ssh key without a password is convenient but it also creates risk.
Re: (Score:2)
Re: (Score:2)
By the way, you can look at the traffic statistics from DenyHosts [denyhosts.net], you can clearly see that ssh password-guessing traffic increased about 10 fold on Apr 6. (And since I configured DenyHosts to email me every time it blocks an IP, I've been very aware of this attack)
I've always wondered why someone doesn't do something with the DenyHosts IP list. It should be impossible to forge IP's for ssh, due to handshaking and key exchange. So doesn't DenyHosts have a pretty good map of somebody's botnet? Is any
Re: (Score:2)
Same here with denyhosts and emails. I noticed immediately that three different systems were being slowly plucked away with ssh attempts. mainly to 'admin', which I suppose is typical of home routers.
you bring up a very good point about the denyhosts data being a good map of the botnet. I think it would be up to the private sector to initiate something before law enforcement would bother though. It seems most of the blackhat stuff is reported/stopped by a few whitehats instead of by government entities.
SPA / PORT KNOCKING - Bye Bye Brute (Score:4, Insightful)
Roll out SPA / Port knocking, their IP shouldn't be touching your sensitive ports without a rule, table, or chain specifically allowing access. FORGET THE PASSWORD!
Another solution (Score:3, Insightful)
Not So Shameless Plug (Score:5, Informative)
For those already familiar with Peter Hansteen's website [home.nuug.no], I'll offer a Thumbs Up recommendation for his Book of PF [amazon.com].
There's already been several stories on Slashdot either submitted by or about him, and I don't recall any mention of his book. I'd say his efforts if not his humility deserve some kind of reward, and the reduced sale price of $19.77 is a bargain.
Denial (Score:3)
I've used a script to block servers that failed a certain number of attempts along with AllowUsers. That worked well for a couple of years, but was annoying in that you could see the attempts being made and knowing that if you made a config error you could be vulnerable. It seems to me that even after I got several hundred systems in my block list it wasn't making a difference since the pool of zombies was so large.
Now I just use key only access and AuthUsers and feel a lot more secure. I'm thinking I may add a white list of IP addresses as well. That would really lock things down pretty well.
Everybody has their formulas (Score:2)
Mine is:
1) No passwords for SSH. At all.
2) SSH keys that require passphrase authentication.
3) SSH on a high port.
That's it! No issues, that I'm aware of...
In all seriousness (Score:5, Informative)
Re: (Score:2)
The botnet owners have large lists of likely usernames/passwords and IP addresses to try. In the past they just assigned a bot to try out a complete list of usernames/passwords to try for a range of IP addresses. Now, they just give each bot a range of usernames/passwords for a complete list of IP addresses. It doesn't affect the processing time required, but makes it harder to ban hosts.
I'm safe... (Score:5, Funny)
Re: (Score:3, Funny)
pinkie? C'mon, gimme a hint.
Re:I'm safe... (Score:5, Funny)
Re: (Score:3, Funny)
reference [bash.org]
Stop collaborate and listen. (Score:2)
Just checked my auth logs and I'm seeing hundreds of various IPs, some of which are connecting up to 20 times. Definitely a new twist. I'll have to do some poking around to see what kind of machines are doing the probing. ( Is it compromised windows boxes?)
Don't just run it on a higher port. (Score:2, Interesting)
Be proactive on port 22 as well. At the advice of another comment I saw on /. a year or so ago I'm running a honeypot, with three static ports (one of them 22) and 4 roving ports. Establishing a TCP connection to any of them causes your IP to be instantly added to an iptables blacklist. It's worked pretty well; I've got about 2-3 unique addresses trying per day, and about 294 have been blocked since mid-December 2008. It takes care of both port scanners and bots deliberately connecting in order to try and g
Re: (Score:2)
Is there any difference with respect to a PKCS#11 token?
I've been thinking of using one of these tokens as a "road warrior" SSH key, but then realised that since they need drivers to be useable, that wouldn't be practical to use on machines not owned by me.
Also, why not S/KEY [freebsd.org] instead of one of those yubikeys (or at least the random password)?
quickest fix (Score:2, Interesting)
Goodness. (Score:5, Informative)
There sure are a lot of people who didn't bother to read the article.
The point of these attacks are that it's a coordinated botnet attack. Meaning if you block any single IP, or even a large subnet, you've cost the attacker nothing. Fail2ban, denyhosts, all of these won't even slow these attacks down.
iptables goodness (Score:5, Informative)
Once again, we have a built in linux goody which helps us out;
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --set --name sshattack --rsource
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --rcheck --seconds 300 --hitcount 3 --name sshattack --rsource -j LOG --log-prefix "SSH Drop: "
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --rcheck --seconds 300 --hitcount 3 --name sshattack --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
The above allows three connections in a 5 minute period to port 22. After that it rejects any further connection attempts until the 5 minute timer is up.
Re: (Score:2)
The recent module in iptables tracks per source IP address, so that's not a concern.
Re:iptables goodness (Score:4, Informative)
Which means this won't work, since what I see in the logs (at least in the last go-round with this stuff) is one attempt per remote IP, yet a coordinated distributed dictionary attack. What we need is a ruleset that properly spots this attack pattern, then locks down port 22 entirely except for defined, fixed-IP administrative exceptions, just if there is any pattern of failed attempts over a longer period.
In a slightly-different recent case, I saw someone get ahold of an ftp login. The uses of that login were one-off per remote IP. The IPs were in Ukraine, Russia, China, Texas ... with hours between successive attacks. From what was attempted on the logins, it was obviously a generic attack, not well-directed at the particular server. Quite likely an infected client system divulged the login to the botnet that infected it, and the botnet then focused the distributed attack. As with ftp, so with ssh. They don't want you to even notice it in the logs. Each IP will be used for one transaction attempt with you, spaced hours apart.
We need tools to spot these slow-moving distributed attacks. The single bad login attempt needs to be correlated with others from completely different IPs, over a span of days, not just minutes.
Re: (Score:3, Interesting)
then locks down port 22 entirely except for defined, fixed-IP administrative exceptions
This is my default configuration, with a port knock pattern for emergency access.
Post your banlist (Score:2, Informative)
I get about 5 of these a day, on a relatively small site. I wrote a small shell script out of sheer boredom that parses hosts.deny and gives me country and hostname info. Here's the output from the past week or so. It seems to confirm that most of these are from public isps overseas.
117.21.249.75 CN, China
121.166.163.142 KR, Korea, Republic of
122.128.36.3 KR, Korea, Republic of
189.19.245.182 BR, Brazil 189-19-245-182.dsl.telesp.net.br.
200.111.157.187 CL, Chile
201.6.124.155 BR,
My Solution (Score:4, Informative)
I was having similar brute force attacks.
I've made some alterations to protect my server from brute force SSH attempts.
1) Moved SSH to another random port
2) Bound the SSHD to an IP address that is not used for Web/Mail/FTP, etc.. So the IP should generally see less traffic
3) Disable Password Authentication, Users who are given SSH access must use a password protected key file
4) Disabled Root SSH Login
5) Setup the system that 3 failed logins add the entire IP Subnet(X.X.X.0-X.X.X.255) for 15 minutes, 5 failed attempts 1 week, anything else is a never ending ban. (iptables and hosts.deny, just in case)
Re: (Score:2)
Re: (Score:2)
Well, my current crop of zombies are brain-dead. (Score:2)
Maybe that's redundant, but "james" has tried 7500 times in the last 5 days to login to a machine that neither allows password authentication, nor has a user named "james".
Something is broken on their end.
Probably more effective than you think (Score:2)
Some years ago, I worked for a partner of a then-enormous national ISP that shall remain unnamed, but its initials are AOL. At one point, I had access to a large list of usernames and passwords of their users. Out of curiosity, I performed a statistical analysis of the data and discovered, to my not very large surprise, that about 20% -- I forget the exact figure -- had passwords that were either "password", "secret", or their username. In other words, if you know one of their usernames, you have a roughly
Re: (Score:3, Insightful)
Um. You realize, of course, that remote desktop is a lot less secure than ssh, right?
It doesn't matter if people are trying to pick the lock on your door. What matters is whether they can pick the lock. Use RSA-based authentication, and no amount of brute force is going to improve the odds of their breaking in to the point where it's worth bothering.
Remote desktop, on the other hand, is completely brute-forceable. If you're not seeing brute force attacks, it's because nobody's bothering, not because
Re: (Score:2)
They're coming pretty steadily. I read the FA, logged in to the ssh-receiving box, looked at the logs, and a half-dozen showed up while I was looking. Makes me wish I had the time to run a honeypot.
Based on my quick reading of the ssh/sshd documentation, I created an empty ~/.ssh/rc file for the accounts with known-good passwords (i.e., mine) and then put "kill -9 $PPID" in /etc/sshrc.
That seemed to work, though I know it will be bad for X11 (which I never use over ssh to my home box).
There may be
Re: (Score:3, Informative)
Remote Desktop uses TLS and X.509 certificates, so it's not exactly trivial to crack. It's easily as secure as SSH using password-based authentication. It's definitely *more* secure if your users never bother to actually check unknown server keys.
Now, compared to SSH using only key-based authentication, Remote Desktop isn't as secure. Unless you use smart cards for authentication with Remote Desktop, which are probably more
Re: (Score:2)
Re: (Score:2)
I had something like this (but far less automated) going back in my one-man-IT department days. I also had good responses from admins who generally felt bad and wanted things fixed up on their end ASAP. My employer told me it was a waste of my time and to stop because I wasn't "the Internet police." He looked stupid after I was gone and my incompetent replacement managed to get them hacked. He actually allowed someone to set a password to "password" because they complained that my old password requireme