LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   brute-force-ssh-attack (http://www.linuxquestions.org/questions/linux-security-4/brute-force-ssh-attack-667074/)

saavik 09-02-2008 07:40 AM

brute-force-ssh-attack
 
We suffer from a sshd brute force attack.

Its no real securety problem as we have several securety tools that make it impossible to get into the server via ssh-brute-force-attack.

Here is the log-file:

Quote:

sshd[1367]:admin01 from 69.26.203.10
sshd[1367]:admin01 from 69.26.203.10
sshd[1790]:admin01 from 200.26.153.204
sshd[1803]:admin01 from 122.224.128.212
sshd[1814]:admin0 from 83.12.137.44
sshd[1848]:admin0 from 125.142.211.133
sshd[1853]:admin0 from 200.29.135.50
sshd[1857]:admin0 from 58.196.4.98
sshd[1790]:admin01 from 200.26.153.204
sshd[1803]:admin01 from 122.224.128.212
sshd[1814]:admin0 from 83.12.137.44
sshd[1848]:admin0 from 125.142.211.133
sshd[1853]:admin0 from 200.29.135.50
sshd[1857]:admin0 from 58.196.4.98
My question:

The attack seems to be coordinatet between several different IP`s how can that be ?

win32sux 09-02-2008 08:16 AM

A botnet perhaps?

saavik 09-02-2008 08:19 AM

Yes, seems so, but does anybody have the same problems or know the virus (just for fun!)

junpa 09-02-2008 09:14 AM

saavik,

the sshd brute force attacks are nothing new and yes, everyone gets them.
Your particualr instance could have been caused by spoofing or as win32sux already stated a distributed attack (botnet).

The attack would not fall into the category of 'virus'.

unixfool 09-03-2008 07:07 AM

Did you read the sticky post here? ====> http://www.linuxquestions.org/questi...tempts-340366/

sundialsvcs 09-03-2008 08:59 AM

The most important things to remember are:
  1. Keep your sshd ("ssh daemon") program scrupulously up-to-date, along with all of the libraries (crypto and so-forth) that it uses.
  2. Understand the SSH configuration (see: man sshd_config).
SSH has the very annoying characteristic that it will start by offering the toughest challenge, but it will then offer (and accept) successively weaker alternatives! You need to configure your system to accept only "digital certificates," and to refuse simpler alternatives like passwords. You should accept only "protocol #2."

A digital certificate is like a non-forgeable (and, individually revocable...) identification badge. The badge can be password-protected to prevent it from being presented by the wrong person, but the bottom line is that in order to connect to your system a valid badge must be presented. (You can issue and revoke the badges without costing any money.) A hacker can knock at your door until he's blue in the face, but he'll never get inside.

Put as many obstacles in the way as you can. For example, close all the inbound pathways except a VPN-portal maintained by your hardware router... once again, secured using digital certificates (not "pre-shared keys"). It's better to keep the hackers outside of the chain-link fence topped with concertina-wire, rather than to let them be milling-about in the front lobby.

Having set-up this system, now actively maintain it. Issue certificates (of the various types) with a drop-dead date and change them periodically. Issue individual certificates, so that each one can be individually revoked.

immortaltechnique 09-05-2008 01:01 AM

You could also try and put the annoying ip net blocks under hosts.allow. well this is not a panacea but it kind of moderates the brute-attacks. Its in the thread mentioned. i also receive these attempts but basic ssh security procedures again in the above mentioned thread should keep things in check.


All times are GMT -5. The time now is 04:46 AM.