LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Failed SSH login attempts (http://www.linuxquestions.org/questions/linux-security-4/failed-ssh-login-attempts-340366/)

Capt_Caveman 08-09-2004 01:00 PM

SSH login attempts
 
There appears to be some form of automated malware circulating around the internet in the last 2 weeks. It attempts sshd logins using simple username-password combinations. A sample scan looks like:

Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd[28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX

Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of a unknown exploit has not been ruled-out.

All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possiblity of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)

Further information about this tool and failed sshd logins can be found here:
http://lists.netsys.com/pipermail/fu...ly/024612.html
http://dev.gentoo.org/~krispykringle/sshnotes.txt
http://isc.sans.org/diary.php?date=2004-08-04

ppuru 08-09-2004 11:11 PM

And perhaps the use of the AllowUsers keyword in /etc/ssh/sshd_config to lock down access to the known few.

Pastorino 08-11-2004 08:42 AM

It will be even more secure by disabling password authentication completely, and allowing only private key authentication.

ppuru 08-22-2004 10:10 PM

New version of brutessh code is out
http://isc.sans.org/diary.php?date=2...6a32305ebe5d9c

adjman 09-02-2004 09:35 AM

Been seeing this too, I have taken to explicitly blocking the troublesome IP's at firewall level as I use my box as a router - this way I just do a few quick Grep's through the /var/log/secure and then add a couple of rules.

Keeps them from doing anything as the firewall just drops packets from those hosts.

:)

crackito 09-14-2004 08:21 AM

I use apf fw, and bfd....bfd check's for brute force attempts anda add hosts to the deny.hosts of the fw.

Ambrosia 09-15-2004 03:57 AM

I've set up a Honeypot after noticing similiar activity on SSH, using an old Slackware 8, 2.4.18 and a bogus guest/guest account.

The entire thing seems automated, and as soon as the guest logs in, a local root exploit gets used to gain root access..automatism stops there though, as the actual news root pass gets entered manually (yay for script kiddies typoing).

After that, behavior differed...one immediately installed an IRC bot which connected to Undernet (EnergyBot), and started to scan from my machine (but strangely, all the machines he scanned were firewalled...hum..).
Sadly I hadn't my keylogger/outputlogger set up properly, so the log wasn't really usable aside of that info.
Others just changed the root pass, and logged out again.

Those scans aren't really frequent here (one each couple of days or so), and seem to have different origins (a few US, one from Romaina).

Ah yes, the Romanian guy...changed root pass, logged out, didn't return for a while. I then restored an hour-old copy of the system, and -bang-, minutes later he's exploting the thing -again- (using a different root pass), and doesn't even at all seem to notice a certain familiarity with a certain box he exploited before..heh..kiddies.

On further note, it's safe to assume that they logged in from their own private boxes..nmap revealed all ports as firewalled.

Right now I've put the Honeypot on hold...what do you think, is it worth continuing it? Any good ideas on further actions? :)

Ambrosia

micxz 09-25-2004 10:09 PM

All my web servers, personal servers and everyone I know at home are getting hit with these atttemps. These scans are happening for months now. I'm almost willing to bet anyone who runs ssh `cat /var/log/messages | grep test` they will see many attempts from different IPs.

I suggest we all use key logins only and even run ssh on a alternate port if possible. Adding them to hosts.deny or blocking them via iptables in real time is even better.

TruckStuff 09-27-2004 11:33 AM

Geesh... I had one guy "scan" our servers over six THOUSAND times this weekend. What a PITA. I sent a complaint to his hosting company's abuse department... who knows if anything will come of it.

micxz 09-27-2004 03:11 PM

I've had good responses from network abuse teams working for different ISP's. Some even write back and thank you.

dannyk1 09-28-2004 02:56 AM

I'm used to cleaning out spam from my email but this shit is starting to get out of hand

Looks like the code has been updated to throw more passwords at a server

Look at how many hits I got from one idiot in one attack

failed logins from these:
Administrator/password from 216.189.163.85: 1 Time(s)
accounting/password from 216.189.163.85: 1 Time(s)
adm/password from 216.189.163.85: 1 Time(s)
admin/password from 216.189.163.85: 4 Time(s)
administrator/password from 216.189.163.85: 1 Time(s)
anon/password from 216.189.163.85: 1 Time(s)
apache/password from 216.189.163.85: 1 Time(s)
boss/password from 216.189.163.85: 1 Time(s)
checkfs/password from 216.189.163.85: 1 Time(s)
cisco/password from 216.189.163.85: 6 Time(s)
client/password from 216.189.163.85: 1 Time(s)
cvs/password from 216.189.163.85: 1 Time(s)
debug/password from 216.189.163.85: 1 Time(s)
dni/password from 216.189.163.85: 1 Time(s)
echo/password from 216.189.163.85: 1 Time(s)
fal/password from 216.189.163.85: 1 Time(s)
fax/password from 216.189.163.85: 1 Time(s)
ftp/password from 216.189.163.85: 1 Time(s)
games/password from 216.189.163.85: 1 Time(s)
gnats/password from 216.189.163.85: 1 Time(s)
gopher/password from 216.189.163.85: 1 Time(s)
guest/password from 216.189.163.85: 1 Time(s)
intel/password from 216.189.163.85: 1 Time(s)
kermit/password from 216.189.163.85: 1 Time(s)
login/password from 216.189.163.85: 1 Time(s)
lp/password from 216.189.163.85: 1 Time(s)
lynx/password from 216.189.163.85: 1 Time(s)
mail/password from 216.189.163.85: 1 Time(s)
man/password from 216.189.163.85: 1 Time(s)
manager/password from 216.189.163.85: 1 Time(s)
master/password from 216.189.163.85: 1 Time(s)
monitor/password from 216.189.163.85: 1 Time(s)
mysql/password from 216.189.163.85: 1 Time(s)
netscreen/password from 216.189.163.85: 1 Time(s)
news/password from 216.189.163.85: 1 Time(s)
nobody/password from 216.189.163.85: 1 Time(s)
operator/password from 216.189.163.85: 2 Time(s)
oracle/password from 216.189.163.85: 1 Time(s)
postgres/password from 216.189.163.85: 1 Time(s)
postmaster/password from 216.189.163.85: 1 Time(s)
qsvr/password from 216.189.163.85: 1 Time(s)
root/password from 216.189.163.85: 8 Time(s)
security/password from 216.189.163.85: 1 Time(s)
sync/password from 216.189.163.85: 1 Time(s)
sys/password from 216.189.163.85: 1 Time(s)
sysadmin/password from 216.189.163.85: 2 Time(s)
sysop/password from 216.189.163.85: 1 Time(s)
tech/password from 216.189.163.85: 1 Time(s)
test/password from 216.189.163.85: 6 Time(s)
user/password from 216.189.163.85: 1 Time(s)
uucp/password from 216.189.163.85: 1 Time(s)
www/password from 216.189.163.85: 1 Time(s)

craig34 09-28-2004 07:19 AM

Blocking these IPs
 
I've been using my hosts.allow file to prevent some of the IPs from which I notice many attempts. Today my security email has informed me that a range of IPs, all starting with 207.158.8, have made many attempts. I'd like to block the entire range, which seems to go from 207.158.8.236 to 207.158.8.245. How would I modify the following code to block that entire range?

Code:

ALL : 207.158.8.236 : deny
Also, I've done this for about 14 IPs so far. Is there any reasons that I should know about why not to approach the problem in this manner?

TruckStuff 09-29-2004 09:01 PM

Re: Blocking these IPs
 
Quote:

Originally posted by craig34
I've been using my hosts.allow file to prevent some of the IPs from which I notice many attempts. Today my security email has informed me that a range of IPs, all starting with 207.158.8, have made many attempts. I'd like to block the entire range, which seems to go from 207.158.8.236 to 207.158.8.245. How would I modify the following code to block that entire range?

Code:

ALL : 207.158.8.236 : deny
Also, I've done this for about 14 IPs so far. Is there any reasons that I should know about why not to approach the problem in this manner?

whois 207.158.8.236 will give you the CIDR range. Then you can add
Code:

ALL:  207.158.0.0/18 : deny
to your hosts.allow file.

I've been blocking these at the firewall. Any thoughts on if its better to block at the firewall vs. using a hosts.allow as mentioned here?

Also, does anyone have any tips for managing all of these IPs across multiple servers? Its getting to be a pain to add an IP to each of our servers every day.

jayjwa 10-04-2004 06:05 AM

To limit/end these Script Kiddie playtimes:

1) Make passwords long & strong, stuff like: &^bV{-)wQ17HG*dzQK?X

2) Limit sshd's accessing domains you know you don't need in hosts.deny (sshd can be compiled w/hosts_access support or put in under xinetd/inet with -i option). For example, I know that no one from China should be logging into my sshd, so:

hosts.deny:

Code:

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
3) Add line

Code:

sshd: UNKNOWN
to hosts.deny. Surprisingly, this stops alot of them but hasn't stopped any of my legit users. You can combine this rule with #2 above.

4) Make use of the AllowUser, DenyUser tags in sshd_config. Make sure you list exactly who should and who should not
login. IMO, never, ever allow root.

sshd_config:

Code:

# Explicitly set who can and who can not login by way of ssh
AllowGroups users
AllowUsers tom joe harry

# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news  uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite

DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc


5) Check into key-only ssh login. If someone doesn't have a valid key, it will be very hard to login with any password!

6) Turn up logging and watch logs carefully. Maybe limit access times too (with xinetd's port times). I completely drop traffic from known trouble networks/domains/netblocks, but this may be too extreme for some people. xinetd can do rate limit as well.

7) You can put sshd on another port, but this shouldn't be needed if all your other defense is in place. Stay up on patches and current security. Most intruders I've seen get local, then use kernel exploits like km3.c (ptrace) or do_brk(), mremap to gain root. Of those that did get root, they usually downloaded IRC stuff (bouncers, bots) and linux viruses OSF, and RST varient #2. The attackers were quite amatureuish, and left behind plenty of evidence, including bash history files, logs, and other records. Once a machine is compromised, they use it to do more. The most advanced tool that I've seen
came as a C source file, so the port could be changed. It had an extensive password list with dictionary type words. More words could be added. RST #2 contains its own backdoor. Rootkits T0rn, and SucKit were popular as well. Many of the tools came from the go.ro domain. In many cases, the admins of the attacking machines didn't know they were compromised. Several expressed gratitude when notified of the attempts, but unfortunately the norm seems to be no response (at least in the cases I've reported myself).

As far as using hosts based access for iptables, I'd say go for both: knock out as much trouble spots as you can with each tool, because they work slightly different. For example, I may not need to allow sshd login from a certain domain, but I do want to be able to send and receive mail with it; so I can't drop it completely. With hosts based access you can give rules to just one daemon, or all.

- jayjwa

(Re-editted for reformating on 10/6)

dmoorhouse 10-30-2004 03:17 PM

Has anyone found a script/daemon that would monitor for such activity and then add the offending ip to the hosts.deny or drop chain of iptables in real time? I'm a network admin but not a programmer :(

All the blocking would then be automated and only the offending ip would be locked out as the attempts are made.

Dar


All times are GMT -5. The time now is 11:22 PM.