LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-02-2008, 07:40 AM   #1
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 601

Rep: Reputation: 32
brute-force-ssh-attack


We suffer from a sshd brute force attack.

Its no real securety problem as we have several securety tools that make it impossible to get into the server via ssh-brute-force-attack.

Here is the log-file:

Quote:
sshd[1367]:admin01 from 69.26.203.10
sshd[1367]:admin01 from 69.26.203.10
sshd[1790]:admin01 from 200.26.153.204
sshd[1803]:admin01 from 122.224.128.212
sshd[1814]:admin0 from 83.12.137.44
sshd[1848]:admin0 from 125.142.211.133
sshd[1853]:admin0 from 200.29.135.50
sshd[1857]:admin0 from 58.196.4.98
sshd[1790]:admin01 from 200.26.153.204
sshd[1803]:admin01 from 122.224.128.212
sshd[1814]:admin0 from 83.12.137.44
sshd[1848]:admin0 from 125.142.211.133
sshd[1853]:admin0 from 200.29.135.50
sshd[1857]:admin0 from 58.196.4.98
My question:

The attack seems to be coordinatet between several different IP`s how can that be ?
 
Old 09-02-2008, 08:16 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
A botnet perhaps?
 
Old 09-02-2008, 08:19 AM   #3
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 601

Original Poster
Rep: Reputation: 32
Yes, seems so, but does anybody have the same problems or know the virus (just for fun!)
 
Old 09-02-2008, 09:14 AM   #4
junpa
Member
 
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 50

Rep: Reputation: 16
saavik,

the sshd brute force attacks are nothing new and yes, everyone gets them.
Your particualr instance could have been caused by spoofing or as win32sux already stated a distributed attack (botnet).

The attack would not fall into the category of 'virus'.
 
Old 09-03-2008, 07:07 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Did you read the sticky post here? ====> http://www.linuxquestions.org/questi...tempts-340366/
 
Old 09-03-2008, 08:59 AM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,401

Rep: Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119
The most important things to remember are:
  1. Keep your sshd ("ssh daemon") program scrupulously up-to-date, along with all of the libraries (crypto and so-forth) that it uses.
  2. Understand the SSH configuration (see: man sshd_config).
SSH has the very annoying characteristic that it will start by offering the toughest challenge, but it will then offer (and accept) successively weaker alternatives! You need to configure your system to accept only "digital certificates," and to refuse simpler alternatives like passwords. You should accept only "protocol #2."

A digital certificate is like a non-forgeable (and, individually revocable...) identification badge. The badge can be password-protected to prevent it from being presented by the wrong person, but the bottom line is that in order to connect to your system a valid badge must be presented. (You can issue and revoke the badges without costing any money.) A hacker can knock at your door until he's blue in the face, but he'll never get inside.

Put as many obstacles in the way as you can. For example, close all the inbound pathways except a VPN-portal maintained by your hardware router... once again, secured using digital certificates (not "pre-shared keys"). It's better to keep the hackers outside of the chain-link fence topped with concertina-wire, rather than to let them be milling-about in the front lobby.

Having set-up this system, now actively maintain it. Issue certificates (of the various types) with a drop-dead date and change them periodically. Issue individual certificates, so that each one can be individually revoked.

Last edited by sundialsvcs; 09-03-2008 at 09:01 AM.
 
Old 09-05-2008, 01:01 AM   #7
immortaltechnique
Member
 
Registered: Oct 2006
Location: Kenya
Distribution: Ubuntu, RHEL, OpenBSD
Posts: 287

Rep: Reputation: 32
You could also try and put the annoying ip net blocks under hosts.allow. well this is not a panacea but it kind of moderates the brute-attacks. Its in the thread mentioned. i also receive these attempts but basic ssh security procedures again in the above mentioned thread should keep things in check.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force attempts coolb Linux - Security 4 06-04-2006 04:53 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 09:00 PM
ssh brute force, how do they work? galle Linux - Security 3 03-10-2006 06:58 AM
Brute-force attack - How can I assess the damage? thew00t Linux - Security 4 09-27-2005 06:08 PM
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 05:33 AM


All times are GMT -5. The time now is 01:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration