LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-05-2008, 03:42 PM   #1
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Rep: Reputation: 38
Why do most SSH attacks seem to come from Asian countries?


... at least in my experience.

Whenever I watch my ssh logs and whois the violator's IPs, they are from China or Korea, etc.

Assuming (maybe bad judgment on my part) that the violating IP is probably from a victimized machine itself, why the prevalence?
 
Old 05-05-2008, 04:27 PM   #2
Emerson
Senior Member
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~
Posts: 3,177

Rep: Reputation: Disabled
Pirated Windows, no updates from MS?
 
Old 05-05-2008, 04:38 PM   #3
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by Emerson View Post
Pirated Windows, no updates from MS?
That's a pretty good point.
 
Old 05-05-2008, 11:05 PM   #4
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
Realistically speaking, it's hard to be sure where an attack is coming "from."

What you need to do, if you must run an "ssh" daemon, is to review the security-options that it supports. The configuration is slightly stilted ... a few too more options than it really needs to have, and maybe not the best descriptions for them ... but there's a lot there. You can, for example, use digital certificates.

Also consider using the VPN capability of even a run-of-the-mill office router. Once again, if you get beyond the stupidly-simple "shared secret" authentication methods that the quickstart guides tend to offer you, it's actually quite simple to put a nearly-impregnable barrier between you and the Internet ... yet it is one that you (alone) can pass through as if by magic.

Remember: it should be quite difficult for an outsider to reach "a password prompt" on your systems, by any means whatever.

What do they check, every morning as you walk into the building on the way to your (locked) office? Your badge. If you don't have that, your door-key is quite useless because you won't even make it that far.

Last edited by sundialsvcs; 05-05-2008 at 11:07 PM.
 
Old 05-06-2008, 09:30 AM   #5
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
sundialcvs,

I appreciate your response. However, I am not trying to start a new "how to secure SSH" thread. I'm just curious why it appears that all of the IPs are registered in the East. Wondering if there's an agenda, political or philosophical, etc. Possibly that it's simply easier to victimize those machines due to their pirated status, as Emerson offered.

Just curiosity taking hold ...
 
Old 05-06-2008, 11:07 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,776
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
Quote:
Originally Posted by SlowCoder View Post
Why do most SSH attacks seem to come from Asian countries?
Looking at http://www.internetworldstats.com/stats.htm you see that right now Asia has the most netizens, followed by Europe and Northern America in third place. So by total amount of users the chance it's a scan from Asia should be much higher, and your experience correlates (for now) with http://www.mynetwatchman.com/LIS.asp?Queue=HBRD (select incident reports, "Largest Incidents 7 Days").

Changing scope, a different spread is shown however in the historical view of http://www.incidents.org/country.html (select all countries, port 22, date 2004), http://www.shadowserver.org/wiki/pmw...cations#tables and Honeynets in other locations like http://www.honeypots-alliance.org.br/stats/flows/cc/ (Top Source Country Codes) and http://www.honeynet.cz/?mmenu=statis...ang=en&vmetr=1 (top 10 countries biggest number of attacks). While it is third in the internetworldstats you see it appears Northern America being responsable for a large, and in some places largest, portion of scans. BTW you should also notice that for instance http://www.juniper.net/security/honeypot/ doesn't even mark TCP/22 as the most scanned port anymore. Most previously mentioned sources agree.

While there are people who scan whole class A networks from their own machines I doubt most (semi-) professional teams do that. And since obviously the most common practice is to use subverted machines as gateways you cannot determine who's behind it unless the scanner makes a mistake or gets trapped in a honeypot. Even then chances are you only have the puppet and not the master (http://ddanchev.blogspot.com/, anything RBN-related or botnet stats on shadowserver.org). After all the 'net is a twentyfour-slash-seven business and you could well field any amount of teams across TZs to do the work for you.

I would dig the ClippyOS remark if it made sense in terms of power, efficiency (automated activity) or monetary value, but I think a large portion of scanners are not ClippyOS-based but using GNU/Linux ("follow the money", virus activity, malware, next to ddanchev also see http://honeynet.org.au/?q=node/16 and http://www.honeynet.org.cn/index.php...d=80&Itemid=33). GNU/Linux usage would be easier to explain since next to open proxies and full-out frontal compromises there's a lot of misconfiguration that causes easy entry. If you wade through lists of IPs from Asia you should frequently find ISP, university and company MTA's, DNSes, gateways and whatnot. While misconfiguration is not typically something only Asia suffers from, it's clear they continue to suffer from structural problems throughout their whole chain ranging from APNIC being in constant upheaval, CERTs being powerless, ISPs not caring or unable to communicate with to ISPs, institutes, companies and home users using outdated software and not adhering to any best practices.


So, in kinda "executive overview"-stylee that would be IMHO:
Q: TCP/22?
A: Depending on view not even in the top-10.
Q: Asia only?
A: No. Stats show it depends on location.
Q: Asia "more evil" or active compared to say Northern America?
A: No. Stats show definately not.


@ECHO OFF
REM Anyone seeing anything to correct: BMG.
 
Old 05-07-2008, 12:53 PM   #7
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
Wow! Thanks for all the links! I'll have to review as I have time.
 
Old 05-08-2008, 07:32 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,776
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
You're welcome. It is nice to try and get a macro view of things once in a while...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Asian Countries Making the Switch to Open Source LXer Syndicated Linux News 0 02-15-2007 06:16 AM
Need to monitor SSH attacks with Sebek ActiveX Linux - Security 6 10-14-2006 03:49 AM
Growing ever concerned about attacks on SSH impulse() Linux - Security 2 09-11-2006 04:34 AM
LXer: Preventing SSH Dictionary Attacks With DenyHosts LXer Syndicated Linux News 0 02-19-2006 12:01 PM


All times are GMT -5. The time now is 08:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration