LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-09-2004, 01:00 PM   #1
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
SSH login attempts


There appears to be some form of automated malware circulating around the internet in the last 2 weeks. It attempts sshd logins using simple username-password combinations. A sample scan looks like:

Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd[28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX

Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of a unknown exploit has not been ruled-out.

All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possiblity of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)

Further information about this tool and failed sshd logins can be found here:
http://lists.netsys.com/pipermail/fu...ly/024612.html
http://dev.gentoo.org/~krispykringle/sshnotes.txt
http://isc.sans.org/diary.php?date=2004-08-04
 
Old 08-09-2004, 11:11 PM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
And perhaps the use of the AllowUsers keyword in /etc/ssh/sshd_config to lock down access to the known few.
 
Old 08-11-2004, 08:42 AM   #3
Pastorino
Member
 
Registered: Jul 2004
Distribution: RHEL 6.2
Posts: 35

Rep: Reputation: 15
It will be even more secure by disabling password authentication completely, and allowing only private key authentication.
 
Old 08-12-2004, 07:39 PM   #4
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by Pastorino
It will be even more secure by disabling password authentication completely, and allowing only private key authentication.
Except I beat my head against the wall for 2 weeks a few months ago trying to get private key auth working with SSHD.

At any rate, I've been seeing these attempts in my logs for the last few weeks. Just figured it was some stupid skiddie; guess I was right.
 
Old 08-15-2004, 12:38 PM   #5
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Capt_Caveman: it's not a scanner for weak usernames/passwds, it's a ssh bruteforcer with those uid's/passwd's hard-coded.
Kiddies using it can't change the code obviously
 
Old 08-15-2004, 01:46 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
I use more of the wikipedia definition of bruteforce, where it's something that attempts a large number of password variations against a single host, like iterating through the entire search-space of all possible alpha-numeric combinations. In essence "one or a few hosts, lots of usernames/passwords".

Of course, you can call them whatever you like

Last edited by Capt_Caveman; 08-15-2004 at 02:15 PM.
 
Old 08-18-2004, 08:22 AM   #7
paperdiesel
Member
 
Registered: Oct 2003
Location: southern cali
Distribution: fedora core 4
Posts: 79

Rep: Reputation: 15
Dunno if this is the right place to ask this, but how can I configure some effective tcp wrappers using etc/hosts.allow and .deny? I'm getting the same ssh login/password spam on my box, and have been getting it for over a month now. I want to block this before it gets a chance to try combinations on my box, so I figured I'd try and disallow any ssh access except from a few specific places.

Here's the way I understand it, but it doesn't work. Someone please enlighten me:

In /etc/hosts.deny:

ALL: ALL

This will block all traffic coming in to the box, except what's provisioned in hosts.allow.

In /etc/hosts.allow:

ALL: LOCAL, .domain.com, 192.168.1

This will only allow local traffic, request from "domain.com", and any requests from your local subnet.

However, this does not work. If I try to ssh into my box from "domain.com", I get a connection refused. What gives?

Last edited by paperdiesel; 08-18-2004 at 08:27 AM.
 
Old 08-18-2004, 01:43 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
The syntax should be ok. Maybe there is some problem with the hostname lookup, try using the IP address block of .domain.com instead. Do you see any relevant messages in the system logs about failed SSH attempts?
 
Old 08-22-2004, 04:26 PM   #9
KneeLess
Member
 
Registered: May 2003
Distribution: Debian GNU/Linux 3.0 Sid, OpenBSD 3.5
Posts: 190

Rep: Reputation: 30
Quote:
Originally posted by TruckStuff
Except I beat my head against the wall for 2 weeks a few months ago trying to get private key auth working with SSHD.

At any rate, I've been seeing these attempts in my logs for the last few weeks. Just figured it was some stupid skiddie; guess I was right.
It's actually very easy.
$ ssh-keygen -t rsa
(Just press enter for all answers)
$ #Put your pub key, usually /home/USER/.ssh/id_rsa.pub, onto the server you're logging on to.
 
Old 08-22-2004, 10:10 PM   #10
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
New version of brutessh code is out
http://isc.sans.org/diary.php?date=2...6a32305ebe5d9c
 
Old 08-23-2004, 07:39 PM   #11
raxxal
Member
 
Registered: Jul 2004
Location: Los Angeles
Distribution: Mandrake 2007
Posts: 109

Rep: Reputation: 15
Re: SSH login attempts

Quote:
Originally posted by Capt_Caveman
There appears to be some form of automated malware circulating around the internet in the last 2 weeks. It attempts sshd logins using simple username-password combinations. A sample scan looks like:

Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd[28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX

Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of a unknown exploit has not been ruled-out.

All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possiblity of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)

Further information about this tool and failed sshd logins can be found here:
http://lists.netsys.com/pipermail/fu...ly/024612.html
http://dev.gentoo.org/~krispykringle/sshnotes.txt
http://isc.sans.org/diary.php?date=2004-08-04
One way to secure a little bit more a Linux box is by using the chattr command. Usually I keep the passwd. etc., set to +i. this no way no one can add or modify them, no even root.
You can check your file(s) setting with the command "lsattr." e.g lsattr ----i-------- passwd

Raxxal

Last edited by raxxal; 08-23-2004 at 07:42 PM.
 
Old 08-24-2004, 12:16 AM   #12
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Quote:
Usually I keep the passwd. etc., set to +i. this no way no one can add or modify them, even root.
Well root can always chattr -i and make changes.
 
Old 08-24-2004, 02:39 PM   #13
flashingcurser
Member
 
Registered: Jan 2003
Distribution: many win/nix/mac
Posts: 259

Rep: Reputation: 31
Does it only scan the default port? I always change sshd to listen to a non-standard non-priv port.

 
Old 09-02-2004, 09:35 AM   #14
adjman
LQ Newbie
 
Registered: Sep 2004
Location: Duncton, UK
Distribution: Lubuntu
Posts: 6

Rep: Reputation: 0
Been seeing this too, I have taken to explicitly blocking the troublesome IP's at firewall level as I use my box as a router - this way I just do a few quick Grep's through the /var/log/secure and then add a couple of rules.

Keeps them from doing anything as the firewall just drops packets from those hosts.

 
Old 09-06-2004, 10:19 AM   #15
e_larkin
LQ Newbie
 
Registered: Jun 2004
Posts: 5

Rep: Reputation: 0
Here is my logwatch output and this is pretty standard every single day!

Failed logins from these:
admin/password from 200.181.46.200: 2 Time(s)
guest/password from 200.181.46.200: 1 Time(s)
guest/password from 200.206.182.38: 1 Time(s)
root/password from 200.181.46.200: 3 Time(s)
test/password from 200.181.46.200: 2 Time(s)
test/password from 200.206.182.38: 1 Time(s)
user/password from 200.181.46.200: 1 Time(s)

**Unmatched Entries**
Illegal user test from 200.181.46.200
User guest not allowed because shell /dev/null is not executable Illegal user admin from 200.181.46.200 Illegal user admin from 200.181.46.200 Illegal user user from 200.181.46.200 Illegal user test from 200.181.46.200 Illegal user test from 200.206.182.38 User guest not allowed because shell /dev/null is not executable

what Im wondering is if there is a way to setup a false file system allow a guest, user, admin, or test login to the system so that when it (the script or person) does login it can be monitored and then traced back to an originating IP?

I would love to start messing with the idiot thats actually doing this.
 
  


Reply

Tags
hostsdeny, keys, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 09:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 01:19 AM
SSH login attempts - how to get rid of the automated malware? alexberk Linux - Security 1 05-24-2005 04:57 AM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 09:36 PM


All times are GMT -5. The time now is 04:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration