Distributed SSH attack

Hi,

This is off topic to this list, but I dont want to subscribe to -chat
just to post there...  Someone is currently running a distributed SSH
attack against one of my boxes - one attempted login for root every
minute or so for the last 48 hours.  They wont get anywhere, since the
box in question has no root password, and doesn't allow root logins via
SSH anyway...

But I was wondering if there were any security researchers out there
that might be interested in the +-800 IPs I've collected from the
botnet?  The resolvable hostnames mostly appear to be in Eastern Europe
and South America - I haven't spotted any that might be 'findable' to
get the botnet software.

I could switch out the machine for a honeypot in a VM or a jail, by
moving the host to a new IP, and if you can think of a way of allowing
the next login to succeed with any password, then you could try to see
what they delivered...  But I don't have a lot of time to help.

Regards,
  -Jeremy

--
FreeBSD - Because the best things in life are free...
                                           http://www.freebsd.org/
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy Lea wrote:
Hi Jeremy,

You could set up DenyHosts and contribute to the pool of IPs that are
attempting SSH logins on the Net:
http://denyhosts.sourceforge.net/faq.html#4_0

It also looks like there's been quite a spike of SSH login activity
recently: http://stats.denyhosts.net/stats.html

Hope that helps,
Greg
- --
Greg Larkin

http://www.FreeBSD.org/           - The Power To Serve
http://www.sourcehosting.net/     - Ready. Set. Code.
http://twitter.com/sourcehosting/ - Follow me, follow you
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFKxm4H0sRouByUApARAtnPAKCQuivQdE1s0ZZnUO6qVWA87N8ZKgCgjyYD
Tbv+hWI+KoXYsEpt0n4gW5k=
=xCz7
-----END PGP SIGNATURE-----

_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

Greg Larkin wrote: There seems to be some kind of cordinated attack because I have been
seeing different backbones wink in and out (work and home are on
completely diff backbones and are having roughly the same intermitten
interuptions)
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Fri, 2 Oct 2009 17:17 -0000, glarkin wrote:

Another temporary to long term solution might be the following utilities,
ports/security/sshguard-pf ports/security/expiretable

This is more of a pf based solution so that's up to your policies and decision.

Giving thanks to the post about DenyHosts I didn't know that existed till this
point.

Best regards.

- --

%{----------------------------------------------------+
  | dataix.net!jhell         2048R/89D8547E 2009-09-30 |
  | BSD since FreeBSD 4.2    Linux since Slackware 2.1 |
  | 85EF E26B 07BB 3777 76BE  B12A 9057 8789 89D8 547E |
  +----------------------------------------------------%}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iQEcBAEBAgAGBQJKxoxtAAoJEJBXh4mJ2FR+BLQIAIm4nAh8TinDB/QOI6RX2xxO
CSv46ZxoRlr2uv3FF5LmIVhPt0tskSrO+WLP0Xjm2ORB05tiFRpbzMBRawH41J1p
0USI90j+y9UzXinGRX9vt3GAofRkfuQuXXMUMAwTCZY1+EyzOP/K0dfRTSTj24LH
386epgCU3FA8S9UqKSPSdpQNxf+Yq/urd6ykfOTtcMUh/m2bakYIgwtVb4zOe+34
lpTlsXxuPcv9WtcOkqkj8LhZgFYKTRajfiw/G8cCnHqlaKuSDSH1hPEu7ePUAC5o
wj6TZWh186astBg2WtfIke5zKKQz2ELyT5a3GvhWxR4/l9QWN5F0ZX7TuzaWK1M=
=vtNQ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

On Fri, Oct 02, 2009 at 05:17:59PM -0400, Greg Larkin wrote:
> You could set up DenyHosts and contribute to the pool of IPs that are
> attempting SSH logins on the Net:
> http://denyhosts.sourceforge.net/faq.html#4_0

While I am well aware that a lot of people use DenyHosts or some equivalent
tool, I've always been somewhat skeptical about these tools. Few issues:

1. Firewalls should generally be as static as is possible. There is a reason
   why high securelevel prevents modifications to firewalls.

2. Generally you do not want some parser to modify your firewall rules.
   Parsing log entries created by remote unauthenticated users as root is
   never a good idea.

3. Doing (2) increases the attack surface.

4. There have been well-documented cases where (3) has opened opportunities
   for both remote and local DoS.

Two cents, as they say,

Jukka.
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

2009/10/3 Jukka Ruohonen <jruohonen@...>

simplest this to do is disable password auth, and use key based.
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

Hi,

On 3 Oct 2009, at 09:13, Jukka Ruohonen wrote:

Blackhole routes can be added as an alternative to tweaking firewall  
rules.

The other objections (esp. 3) still apply of course, but these attacks  
are such a PITA (noise in the logs if nothing else) that one has to do  
something.

--
Bob Bishop
rb@...




_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

On Sat, 3 Oct 2009, krad wrote:
> simplest this to do is disable password auth, and use key based.

Your logs are still full of crap though.

I find sshguard works well, and I am fairly sure you couldn't spoof a
valid TCP connection through pf sanitising so it would be difficult
(nigh-impossible?) for someone to cause you to block a legit IP.

If you can, changing the port sshd runs on is by far the simplest work
around. Galling as it is to have to change stuff to work around
malicious assholes..

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel O'Connor wrote:
Believe it or not, I find this pf.conf rule very effective to mitigate
this type of distributed SSH botnet attack:

block in quick proto tcp from any os "Linux" to any port ssh

Cheers,
- --
Xin LI <delphij@...> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAkrIXjsACgkQi+vbBBjt66DjhACeOJTIYbDuvAjIgYDrQ41aJcw8
+lsAoJhoUOoSL1k4Y/n/UDwqZNSUxId2
=wdkL
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

How does that work?  Does PF do some sort of os fingerprinting on the remote side before allowing the first SYN through?  

Also, if you have a mix of Linux and FreeBSD boxes, presumably this would not be a great idea right?  It's not just getting people who are faking it?  

>From what I've seen on this attack, it looks like the hosts just send random logins to random IP addresses constantly, so adding an IP address to a blackhole list isn't as effective because you'll be getting hits from thousands of IP addresses, but only a single hit.  In fact it looks like this attack is specifically designed to defeat the "I'll add the attacker's IP address to a black hole list" strategy, by coming in on a different address every time.  
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Anderesen,

Andresen, Jason R. wrote:
[...]
>> Believe it or not, I find this pf.conf rule very effective to mitigate
>> this type of distributed SSH botnet attack:
>>
>> block in quick proto tcp from any os "Linux" to any port ssh
>
> How does that work?  Does PF do some sort of os fingerprinting on the remote side before allowing the first SYN through?  

Well, this would have pros and cons.  pf employs a "fingerprint"
mechanism that would passively detect the operating system based on some
predefined criteria, and the "Linux" matches several old Linux kernel's
TCP fingerprint.

Note that with some tweaks to Linux's TCP parameters, or newer Linux
kernels, this can be bypassed.  However, if the administrator choose to
do this, it's not quite likely that their boxes would be part of the botnet.

> Also, if you have a mix of Linux and FreeBSD boxes, presumably this
> would not be a great idea right?  It's not just getting people who
> are faking it?

Yes and no.  Attackers would adopt to whatever defenders trying to stop
them, however, for this type of attack (note that blocking Linux from
being able to SSH on one system does not mean you would be more safe, it
just mitigate the excessive login issue), what the attacker wanted is to
have more botnet boxes, and he or she wouldn't care about having 1 more
FreeBSD system be there or not, at the expense of faking or tweaking the
TCP stack.

>> From what I've seen on this attack, it looks like the hosts just
>> send random logins to random IP addresses constantly, so adding an
>> IP address to a blackhole list isn't as effective because you'll be
>> getting hits from thousands of IP addresses, but only a single hit.
>> In fact it looks like this attack is specifically designed to
>> defeat the "I'll add the attacker's IP address to a black hole
>> list" strategy, by coming in on a different address every time.

Yes that's right.  Since the scan is being done over a large scale of IP
address space, it's possible to hide yourself by blocking Linux logins,
since these boxes are usually managed by neglecting administrators and
tends not to apply security updates from time to time.

Cheers,
- --
Xin LI <delphij@...> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkrNEHkACgkQi+vbBBjt66BFxACfbfrUJnnVM9YGw6bVSo5hnfnO
BwwAoKFf8DnRd3suCIYMGhZN6FqlTPrP
=NwHo
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-hackers@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@..."