Internet SSH scans

I solved the SSHd scanning problem using a script called fail2ban. Home: http://fail2ban.sourceforge.net/ but let me reccommend a page that explains the utility best: http://www.the-art-of-web.com/system/fail2ban/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Alexandre,

        I also had that problem. I decided not to change the port number, and
to live with the log noise, but to increase security I decided to deny
root access via ssh, and to Allow access to users that really require
ssh access (in my network there are more than 300 users, but only 5 need
ssh access, one of them is me). This reduces the possibility of a
successful brute force attack. Just add these lines in the sshd_config file:

PermitRootLogin no
AllowUsers <xx> <yy> <zz>

        where <xx>, <yy> and <zz> are the users that REALLY require ssh access,
after checking they do not have a weak user name (like 'john' or 'mary')
and/or a weak password.

Alexandre H wrote: -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEDMENy9s+D7eSFvkRAkMVAJ9eNWKVftmaU3tbcUBsdlrh/RGAYACfaD5z
CN2Odgcd5/w/ysrFDUwpGsk=
=ktTN
-----END PGP SIGNATURE-----

Like me.
When I want to connect to some machine, I must before get in a specific
machine, and after I can connect in all the network.

Many things can be done:

1) No root login
2) Only a specific User (AllowUsers option on sshd_config)
3) Only a specific machine
4) Some script to analyze the logs

At the "specific machine", I change some things:

1) Always use high ports, never default port
2) Hide ssh service. How ? Try SAdoor
(http://packetstormsecurity.org/UNIX/penetration/rootkits/index6.html)

From packetstorm:
"SADoor is a non-listening remote administration tool for Unix systems. It
sets up a listener in non-promiscuous mode for a specific sequence of packets
arriving to the interface before allowing command mode. The commands are sent
Blowfish encoded in the TCP payload and decoded and passed on to system(3)."

Its cool, and good to hide some services...

Regards,
Adriano.

---------- Forwarded Message -----------
From: mrbits@...
To: incidents@...
Sent: 3 Mar 2006 09:33:56 -0000
Subject: Re: Re: RE: Internet SSH scans

These SSH scans are generated ( in most of cases ) by Linux Zombie machines,
infected with a kind of worm used to get vulnerable hosts to install a PBSync IRC.

I just changed my default SSH port and all attacks had stoped.

Another way is run somethink like DenyHosts, a python-based daemon that scans
logs and put the "attacker ip" into /etc/hosts.deny:

SSHD:10.0.0.1  ( for example ).

CheerS
------- End of Forwarded Message -------


--
Adriano Carvalho.
Desenvolvedor do projeto Honeypot-BR
www.netnix.com.br

On Tue, 21 Mar 2006 16:20:46 -0200, Adriano Carvalho said:
Of course, if the password is ever compromised, you'll then be left wondering
how things are getting run, because you forgot you installed it. :)

SAdoor has not password. I use it in some machines that I always connect in,
and  usually has attacks from brutal force, worms...
How SSH password will be compromised if I dont have ssh service running
(supposedly, its hidden), I cant log on with root user, and I have a specific
user for each machine ?

Regards,
Adriano.

On Tue, 21 Mar 2006 20:14:26 -0500, Valdis.Kletnieks wrote
> Of course, if the password is ever compromised, you'll then be left wondering
> how things are getting run, because you forgot you installed it. :)


--
Adriano Carvalho.
Desenvolvedor do projeto Honeypot-BR
www.netnix.com.br

*urgh* thats why things go terribly wrong.

Security by obscurity isn't save, wasnt and will never be, if you just dont want the LogEntrys, exclude it from your Syslog.

if you want to secure your SSH Service, try following steps:

 - if possible, use a seperate LAN (MGMT) and bind
    your Service to this LAN only.
    if theres no physical seperated LAN, build a
    virtual seperated LAN (IPSec, ...)
 - disable the weakest Authentication (Password)
 - enforce your Authentication (RSA Keys) by
    limiting the usage (man sshd, look for from=)
 - enforce better policy in SSHD config, limit
    retrys, ... for my understanding it doesnt
    make sence to lockout root. there are enought
    exploits to gain root access anyway.
 - if you still want to limit the IP/TCP access to  
    SSH Service, do it on your Router infront of
    the Machine.

there are no 15 bricks to stumble over  for allowed access, its transparent for upgrades, and its even more secure as theres no forgotten dependency.

my 5 cents
Greetz mIke

On Thu, 23 Mar 2006 09:01:08 GMT, Michael.Lang@... said:

>     retrys, ... for my understanding it doesnt
>     make sence to lockout root. there are enought
>     exploits to gain root access anyway.

This is more an "auditing" requirement than providing extra security.

If I get called at 3:02AM because backups failed because some chucklehead made
a typo in a config file, which do I want to see in the logs?

A) Somebody ssh'ed from the terminal server as root and vi'ed /etc/back.config

B) Joe ssh'ed in from the terminal server, and did 'sudo vi /etc/back.config'

In the second case, I can call Joe at 3:09AM and ask him what crack he was
smoking at 1:15AM....  which is the whole point of the no-root restriction.

Remember - the *single* most dangerous thing to the average Cisco router isn't
a hacker with a 0-day IOS sploit - it's the "banana eater with enable"(*).  The same
is true for every other operating system....

(*) "banana eater" - the low level tech staff at a NOC are often referred to as
'NOC monkeys'. 'enable' is the IOS equivalent of a Unixoid 'su'.

while changing ports is a easy way to avoid ssh attacks from a management perspective its not practical in environments with 500+ users.

We have manage to keep the scans to a minimum using a combination of DenyHosts and iptables

By throttling NEW connections to 4/minute with iptables it takes the dictionary attack 15 minutes to do what it normally does in less then 1 minute.

By that time, the attacker has already been placed in our /etc/hosts.deny file by DenyHosts for 45 days.  We also have emails sent from DenyHosts to our help desk where they are monitored in case (unlikely) an end user accidentally puts in the wrong user name 20 times in a row.

Since we only apply our iptables rule to NEW connections, established connections are not affected at all.

I have to agree with the password policy, I suggests enforcing password aging and pam_cracklib to ensure your local users choose strong passwords. Not too strong or they'll end up in a sticky note on their monitors :), use good judgment on that one.

BR,


J

Jamie Riden wrote:

[sorry, I managed to cc this to bugtraq rather than incidents first time around]

On 03/03/06, Alexandre H <alexandre.hamelin@gmail.com> wrote:
> Hi,
>
> I've witnessed what I think is an increase in SSH scans over the
> Internet in the past four or five weeks. The scan seems to originate
> from various countries around the globe which makes me think of it to be
> a worm-like spreading virus searching for vulnerable systems running the
> SSH service. I confirmed the attack with a friend of mine who also
> happens to run a SSH server at home. We both live in Montreal, QC,
> Canada and are using the same ISP.

I think I've been seeing scans for a year or two now, but the password
guessing seemed to be fairly plentiful for the whole of last year. I
saw a couple of boxes compromised through 'temporary' accounts like
upload/upload which had escaped the admin's notice.

My suggested mitigation is to move SSH to an alternate port, possibly
go to key pair authentication rather than password, restrict what IP
addresses are allowed to connect to sshd as far as possible and/or use
crack/john to ensure that people don't set dumb passwords.

cheers,
 Jamie

(In case anyone is interested in the gory details - one compromised
box had some privilege escalation exploits uploaded, someone tried to
use it for sending ebay phishing emails, and then started it scanning
for other weak ssh passwords as well -
http://www.infosecwriters.com/texts.php?op=display&id=402 )