|
Weird SSH attack last night and this morning (still ongoing)
I don't know what is going on last night and this morning ... I have
three Linux servers facing the Internet, two on cable modems and another
on a static IP/commercial connection and this last one is a gateway to a
Web/FTP/SMTP/Pop3/NTP Linux based system.
I have DenyHosts installed on all three and have blocked about 75
attempts .. from known compromised adresses .. The log shows
(obviously) that there where even more attempts from adresses that are
unknown to DenyHosts but there was only one login attemps per adress and
it was with the Root account .. which is obviously blocked in my sshd
config ..
Of the three machines, one of them only had about 10 attempts, but the
other two had about 200 attempts .. all of them with only 1 try with the
user Root ..
Is any one else seing this? or am I being targeted? This is still going
on now .. and it started arround 10:00 last night GMT+4
--
Gary Baribault
Courriel: gary@...
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
|
|
 Re: Weird SSH attack last night and this morning (still ongoing)
I'm hit all the time too, but it's usually scripted, and they'll try 6 -
8 logins before my DenyHosts script bans the IP address. In this case,
there is only one login attempt, and it with root .. then that source IP
doesn't try again .. it's as if someone just got some default password
or maybe a blank one and has asked an entire botnet to try it once for
all machines on the Internet .. it's weird!
Gary B
bigbadhoss@... wrote:
> These happen all the time on my servers, probably just background
noise, but it could be something else.
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Gary Baribault < gary@...>
>
> Date: Wed, 07 May 2008 08:27:15
> To: incidents@...
> Subject: Weird SSH attack last night and this morning (still ongoing)
>
>
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and another
> on a static IP/commercial connection and this last one is a gateway to a
> Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75
> attempts .. from known compromised adresses .. The log shows
> (obviously) that there where even more attempts from adresses that are
> unknown to DenyHosts but there was only one login attemps per adress and
> it was with the Root account .. which is obviously blocked in my sshd
> config ..
>
> Of the three machines, one of them only had about 10 attempts, but the
> other two had about 200 attempts .. all of them with only 1 try with the
> user Root ..
>
> Is any one else seing this? or am I being targeted? This is still going
> on now .. and it started arround 10:00 last night GMT+4
>
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
It's extremely common to have these scans.
http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks_with_pam_ablThat's a link to my blog. I'm a Linux System Admin at a major hosting
company; this is something I see nightly. Usually, though, I see hits
on the order of thousands per hour before I get worried.
On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and
> another on a static IP/commercial connection and this last one is a
> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75
> attempts .. from known compromised adresses .. The log shows
> (obviously) that there where even more attempts from adresses that
> are unknown to DenyHosts but there was only one login attemps per
> adress and it was with the Root account .. which is obviously
> blocked in my sshd config ..
>
> Of the three machines, one of them only had about 10 attempts, but
> the other two had about 200 attempts .. all of them with only 1 try
> with the user Root ..
>
> Is any one else seing this? or am I being targeted? This is still
> going on now .. and it started arround 10:00 last night GMT+4
>
> --
> Gary Baribault
> Courriel: gary@...
> GPG Key: 0x4346F013
> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
Gary Baribault wrote:
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and
> another on a static IP/commercial connection and this last one is a
> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
> <snip>
> Is any one else seing this? or am I being targeted? This is still
> going on now .. and it started arround 10:00 last night GMT+4
I've had one system bouncing off of SSH on one of my servers for about a
week now. I have fail2ban configured to drop them for six hours after
five failed connects. The server in question is configured for key
authentication only but they keep trying to submit a password anyway.
The second the ban drops I see them connecting again. Other than that,
I haven't seen anything bouncing off my servers repeatedly. Everything
gets banned once and never comes back.
--Blaine
|
|
RE: Weird SSH attack last night and this morning (still ongoing)
Gary,
I am seeing the exact same traffic pattern & attempts as of ~10:20pm PST:
Single attempts to remote root ssh from disparate IP's with few (if any)
repeated source location. So now we have a sample size of 2 :)
When I saw this hitting my servers last night I thought it an odd attack
pattern but surmised it was either a targeted slow attack with spoofed IP's
or a "slow roll" botnet using throttled connects to try flying under the
radar for alerting. I was leaning toward the latter and even more so now
that I see my organization isn't the only one.
Just block root ssh and apply a source IP whitelist for valid non-root
allows if you require remote ssh for day to day. I consider it bad security
practice to allow remote root ssh anyway. People should use user accounts
and a sane sudoers config instead.
--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba@...
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: Gary Baribault [mailto: gary@...]
Sent: Wednesday, May 07, 2008 5:27 AM
To: incidents@...
Subject: Weird SSH attack last night and this morning (still ongoing)
I don't know what is going on last night and this morning ... I have
three Linux servers facing the Internet, two on cable modems and another
on a static IP/commercial connection and this last one is a gateway to a
Web/FTP/SMTP/Pop3/NTP Linux based system.
I have DenyHosts installed on all three and have blocked about 75
attempts .. from known compromised adresses .. The log shows
(obviously) that there where even more attempts from adresses that are
unknown to DenyHosts but there was only one login attemps per adress and
it was with the Root account .. which is obviously blocked in my sshd
config ..
Of the three machines, one of them only had about 10 attempts, but the
other two had about 200 attempts .. all of them with only 1 try with the
user Root ..
Is any one else seing this? or am I being targeted? This is still going
on now .. and it started arround 10:00 last night GMT+4
--
Gary Baribault
Courriel: gary@...
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 7 May 2008, Gary Baribault wrote:
> I don't know what is going on last night and this morning ... I have three
> Linux servers facing the Internet, two on cable modems and another on a static
> IP/commercial connection and this last one is a gateway to a
> Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75 attempts ..
> from known compromised adresses .. The log shows (obviously) that there where
> even more attempts from adresses that are unknown to DenyHosts but there was
> only one login attemps per adress and it was with the Root account .. which is
> obviously blocked in my sshd config ..
>
> Of the three machines, one of them only had about 10 attempts, but the other
> two had about 200 attempts .. all of them with only 1 try with the user Root
> ..
>
> Is any one else seing this? or am I being targeted? This is still going on now
> .. and it started arround 10:00 last night GMT+4
Hi,
have seen the same just recently. Around the same no. of attempts, every
one coming from a different host and all tries against the root account.
I haven't seen this before myself and I don't think it's generated by the
same ssh brute forcing malware practically every attackers seems to be
using. Anyone having followed up on this with the originating site and was
able to get the malware? (A colleague of mine is trying that right now but
the chances of getting the malware are slim ...)
Regards,
Andreas Bunten
-----BEGIN PGP SIGNATURE-----
iQEVAwUBSCHuYu67Mb58Bv0lAQFf2gf7BmcpowdlnoN4SAJwQtaTaMLrxBPJtcCn
2lD7E6KE4Um1TFggugqXtkxj+UT+gYOtKvET6zl9KzT7x1D2QpcWle1fg2Rjb6Ee
IX14n940VqEp6d79oG7dmdtuPoYFVeJrlT15HMjJ2D6xUGfSKizzDMtWzhHZG00y
JAm1T22mdUJw/ZtzsHsiWA7i72C8b9X3AAyp+02eCsQU12ROwCNBU5sOzU5sMob0
JaCvguNYL1+7TT0Kf+w7u2cU69f7WHcNMfY53Jf5L7ayvsDmLRzlSdmMFEONwIAu
MoDkCpHdlFGhAiH1ZtcCV+LF7K1YguFi/yTSxUVwGkUpdMfgZ+rPbg==
=Fycx
-----END PGP SIGNATURE-----
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
I haven't had any luck getting the attack code either .. it's clearly
automated and I've had many replies saying that others have been hit the
same over the last 18 hours .. it's actually a rather stupid attack,
since it only tries root and only once..
Gary Baribault
Courriel: gary@...
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
seg wrote:
> Gary Baribault wrote:
>
> > I don't know what is going on last night and this morning ... I have
> > three Linux servers facing the Internet, two on cable modems and another
> > on a static IP/commercial connection and this last one is a gateway to a
> > Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> > I have DenyHosts installed on all three and have blocked about 75
> > attempts .. from known compromised adresses .. The log shows
> > (obviously) that there where even more attempts from adresses that are
> > unknown to DenyHosts but there was only one login attemps per adress and
> > it was with the Root account .. which is obviously blocked in my sshd
> > config ..
>
> > Of the three machines, one of them only had about 10 attempts, but the
> > other two had about 200 attempts .. all of them with only 1 try with the
> > user Root ..
>
> > Is any one else seing this? or am I being targeted? This is still going
> > on now .. and it started arround 10:00 last night GMT+4
>
> Hi,
>
> have seen the same just recently! Around the same no. of attempts, every
> one coming from a different host and all tries against the root account.
>
> I haven't seen this before myself and I don't think it's generated by the
> same ssh brute forcing malware practically every attackers seems to be
> using.
> Anyone having followed up on this with the originating site and was
> able to
> get the malware? (A colleague of mine is trying that right now but the
> chances of getting the malware are slim ...)
>
> Regards,
> Andreas Bunten
>
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
I noticed the same thing starting yesterday. On the surface it
appears to be a distributed attack from a botnet. Attempts are made
at 2-3 minute intervals. At a glance, they look like random IPs, but
out of 436 attempts since yesterday evening, there are only 198 unique
source IP addresses.
Has anyone checked out what data they are sending for a password?
Brent
On May 7, 2008, at 06:27 , Gary Baribault wrote:
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and
> another on a static IP/commercial connection and this last one is a
> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75
> attempts .. from known compromised adresses .. The log shows
> (obviously) that there where even more attempts from adresses that
> are unknown to DenyHosts but there was only one login attemps per
> adress and it was with the Root account .. which is obviously
> blocked in my sshd config ..
>
> Of the three machines, one of them only had about 10 attempts, but
> the other two had about 200 attempts .. all of them with only 1 try
> with the user Root ..
>
> Is any one else seing this? or am I being targeted? This is still
> going on now .. and it started arround 10:00 last night GMT+4
--
Systems Analyst
Banff International Research Station
http://www.birs.ca+1 403 763 6997
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
Hi everyone--
In the last month, I've started to see distributed / co-ordinated SSH
login attempts not unlike the one Gary is describing. However, I have
seen a handful of hosts attempt this, but have yet to see a really large
number attempt one password each.
Thanks,
--bart
Gary Baribault wrote:
> I'm hit all the time too, but it's usually scripted, and they'll try 6
> - 8 logins before my DenyHosts script bans the IP address. In this
> case, there is only one login attempt, and it with root .. then that
> source IP doesn't try again .. it's as if someone just got some
> default password or maybe a blank one and has asked an entire botnet
> to try it once for all machines on the Internet .. it's weird!
>
> Gary B
>
> bigbadhoss@... wrote:
>> These happen all the time on my servers, probably just background
> noise, but it could be something else.
>> Sent from my Verizon Wireless BlackBerry
>>
>> -----Original Message-----
>> From: Gary Baribault < gary@...>
>>
>> Date: Wed, 07 May 2008 08:27:15
>> To: incidents@...
>> Subject: Weird SSH attack last night and this morning (still ongoing)
>>
>>
>> I don't know what is going on last night and this morning ... I have
>> three Linux servers facing the Internet, two on cable modems and
>> another
>> on a static IP/commercial connection and this last one is a gateway
>> to a
>> Web/FTP/SMTP/Pop3/NTP Linux based system.
>>
>> I have DenyHosts installed on all three and have blocked about 75
>> attempts .. from known compromised adresses .. The log shows
>> (obviously) that there where even more attempts from adresses that are
>> unknown to DenyHosts but there was only one login attemps per adress
>> and
>> it was with the Root account .. which is obviously blocked in my sshd
>> config ..
>>
>> Of the three machines, one of them only had about 10 attempts, but the
>> other two had about 200 attempts .. all of them with only 1 try with
>> the
>> user Root ..
>>
>> Is any one else seing this? or am I being targeted? This is still going
>> on now .. and it started arround 10:00 last night GMT+4
>>
>
|
|
RE: Weird SSH attack last night and this morning (still ongoing)
Robert,
I agree that this kind of traffic/attack is extremely common. The only
notable thing about this one is the very slow attack interval perceived by
the individual targets. Instead of hammering away at a single target it
looks like a botnet which is cycling through a large list of targets to
spread the attack around and more likely sneak in under the radar. That way
the botnet can leverage its size to run thousands of attacks simultaneously
but limit the risk of alerting the individual targets since each destination
is hit with attempts in a small trickle. This method of attack is not so
common.
It's easy to see or be alerted on the defense side of hundreds or thousands
of failed attempts but a couple an hour from all different IP's? Fairly easy
to imagine this slipping past most automated defense or threshold-based
protections alerts for organizations. Fail2ban, denyhosts, and other ways of
automating response need the threshold to be reached to blackhole/null the
attacker source. This attack pattern seems explicitly designed to bypass
those types of controls which is what makes it interesting.
--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba@...
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: Robert Taylor [mailto: rjamestaylor@...]
Sent: Wednesday, May 07, 2008 10:04 AM
To: Gary Baribault
Cc: incidents@...
Subject: Re: Weird SSH attack last night and this morning (still ongoing)
It's extremely common to have these scans.
http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks_with_pam_abl
That's a link to my blog. I'm a Linux System Admin at a major hosting
company; this is something I see nightly. Usually, though, I see hits
on the order of thousands per hour before I get worried.
On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and
> another on a static IP/commercial connection and this last one is a
> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75
> attempts .. from known compromised adresses .. The log shows
> (obviously) that there where even more attempts from adresses that
> are unknown to DenyHosts but there was only one login attemps per
> adress and it was with the Root account .. which is obviously
> blocked in my sshd config ..
>
> Of the three machines, one of them only had about 10 attempts, but
> the other two had about 200 attempts .. all of them with only 1 try
> with the user Root ..
>
> Is any one else seing this? or am I being targeted? This is still
> going on now .. and it started arround 10:00 last night GMT+4
>
> --
> Gary Baribault
> Courriel: gary@...
> GPG Key: 0x4346F013
> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
On Wed, 07 May 2008 10:53:35 PDT, Erin Carroll said:
> When I saw this hitting my servers last night I thought it an odd attack
> pattern but surmised it was either a targeted slow attack with spoofed IP's
Unless your operating system is *very* broken and doesn't do RFC1948 randomization
of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch
of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed
source, no ACK back). If it's gotten through the 3-packet handshake, you may
as well assume that it's a real IP address (or the attacker has already pwned
enough infrastructure that they can see the SYN/ACK you send, in which case
they control the horizontal and vertical and you're now in an Outer Limits
episode... ;)
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
Good points.
I plead exhaustion for missing the key differentiator of this attack :
one attempt at root (likely the null password attack, as a guess).
Reason for my tiredness? I'm a third shift admin.
Thank you for the clarification.
On May 7, 2008, at 1:15 PM, Erin Carroll wrote:
> Robert,
>
> I agree that this kind of traffic/attack is extremely common. The only
> notable thing about this one is the very slow attack interval
> perceived by
> the individual targets. Instead of hammering away at a single target
> it
> looks like a botnet which is cycling through a large list of targets
> to
> spread the attack around and more likely sneak in under the radar.
> That way
> the botnet can leverage its size to run thousands of attacks
> simultaneously
> but limit the risk of alerting the individual targets since each
> destination
> is hit with attempts in a small trickle. This method of attack is
> not so
> common.
>
> It's easy to see or be alerted on the defense side of hundreds or
> thousands
> of failed attempts but a couple an hour from all different IP's?
> Fairly easy
> to imagine this slipping past most automated defense or threshold-
> based
> protections alerts for organizations. Fail2ban, denyhosts, and other
> ways of
> automating response need the threshold to be reached to blackhole/
> null the
> attacker source. This attack pattern seems explicitly designed to
> bypass
> those types of controls which is what makes it interesting.
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba@...
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
>
> -----Original Message-----
> From: Robert Taylor [mailto: rjamestaylor@...]
> Sent: Wednesday, May 07, 2008 10:04 AM
> To: Gary Baribault
> Cc: incidents@...
> Subject: Re: Weird SSH attack last night and this morning (still
> ongoing)
>
> It's extremely common to have these scans.
>
> http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks_wit> h_pam_abl
>
> That's a link to my blog. I'm a Linux System Admin at a major hosting
> company; this is something I see nightly. Usually, though, I see hits
> on the order of thousands per hour before I get worried.
>
>
> On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
>
>> I don't know what is going on last night and this morning ... I have
>> three Linux servers facing the Internet, two on cable modems and
>> another on a static IP/commercial connection and this last one is a
>> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>>
>> I have DenyHosts installed on all three and have blocked about 75
>> attempts .. from known compromised adresses .. The log shows
>> (obviously) that there where even more attempts from adresses that
>> are unknown to DenyHosts but there was only one login attemps per
>> adress and it was with the Root account .. which is obviously
>> blocked in my sshd config ..
>>
>> Of the three machines, one of them only had about 10 attempts, but
>> the other two had about 200 attempts .. all of them with only 1 try
>> with the user Root ..
>>
>> Is any one else seing this? or am I being targeted? This is still
>> going on now .. and it started arround 10:00 last night GMT+4
>>
>> --
>> Gary Baribault
>> Courriel: gary@...
>> GPG Key: 0x4346F013
>> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>>
>
|
|
RE: Weird SSH attack last night and this morning (still ongoing)
I've been there. Sleep is good.
Though you did remind me with your null attack comment to get off my butt
and capture the packets to see if it's a specific hole trying to be
exploited and not just a brute force password run.
--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba@...
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: Robert Taylor [mailto: rjamestaylor@...]
Sent: Wednesday, May 07, 2008 11:24 AM
To: Erin Carroll
Cc: 'Gary Baribault'; incidents@...
Subject: Re: Weird SSH attack last night and this morning (still ongoing)
Good points.
I plead exhaustion for missing the key differentiator of this attack :
one attempt at root (likely the null password attack, as a guess).
Reason for my tiredness? I'm a third shift admin.
Thank you for the clarification.
On May 7, 2008, at 1:15 PM, Erin Carroll wrote:
> Robert,
>
> I agree that this kind of traffic/attack is extremely common. The only
> notable thing about this one is the very slow attack interval
> perceived by
> the individual targets. Instead of hammering away at a single target
> it
> looks like a botnet which is cycling through a large list of targets
> to
> spread the attack around and more likely sneak in under the radar.
> That way
> the botnet can leverage its size to run thousands of attacks
> simultaneously
> but limit the risk of alerting the individual targets since each
> destination
> is hit with attempts in a small trickle. This method of attack is
> not so
> common.
>
> It's easy to see or be alerted on the defense side of hundreds or
> thousands
> of failed attempts but a couple an hour from all different IP's?
> Fairly easy
> to imagine this slipping past most automated defense or threshold-
> based
> protections alerts for organizations. Fail2ban, denyhosts, and other
> ways of
> automating response need the threshold to be reached to blackhole/
> null the
> attacker source. This attack pattern seems explicitly designed to
> bypass
> those types of controls which is what makes it interesting.
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba@...
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
>
> -----Original Message-----
> From: Robert Taylor [mailto: rjamestaylor@...]
> Sent: Wednesday, May 07, 2008 10:04 AM
> To: Gary Baribault
> Cc: incidents@...
> Subject: Re: Weird SSH attack last night and this morning (still
> ongoing)
>
> It's extremely common to have these scans.
>
>
> h_pam_abl
>
> That's a link to my blog. I'm a Linux System Admin at a major hosting
> company; this is something I see nightly. Usually, though, I see hits
> on the order of thousands per hour before I get worried.
>
>
> On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
>
>> I don't know what is going on last night and this morning ... I have
>> three Linux servers facing the Internet, two on cable modems and
>> another on a static IP/commercial connection and this last one is a
>> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>>
>> I have DenyHosts installed on all three and have blocked about 75
>> attempts .. from known compromised adresses .. The log shows
>> (obviously) that there where even more attempts from adresses that
>> are unknown to DenyHosts but there was only one login attemps per
>> adress and it was with the Root account .. which is obviously
>> blocked in my sshd config ..
>>
>> Of the three machines, one of them only had about 10 attempts, but
>> the other two had about 200 attempts .. all of them with only 1 try
>> with the user Root ..
>>
>> Is any one else seing this? or am I being targeted? This is still
>> going on now .. and it started arround 10:00 last night GMT+4
>>
>> --
>> Gary Baribault
>> Courriel: gary@...
>> GPG Key: 0x4346F013
>> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>>
>
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
Yeah, but I'm a masochist, I run these servers for the fun of it and to
see what's happening on the net. I see all of the background static and
every now and again I see somehting fun like this!
Gary Baribault
Courriel: gary@...
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
Darren Bolding wrote:
> And, not to pretend that it adds any great additional security to any
> sort of attack, but running sshd on a non-standard port reduces the
> number of scans/attacks I see dramatically- to the point that I
> actually rarely see any connection attempts from anyone other than
> authorized users. It's simple, fast and doesn't require any packages
> installed or anything.
>
> But that may not be an option for all user communities.
>
> --D
>
> On Wed, May 7, 2008 at 10:53 AM, Erin Carroll < amoeba@...
> <mailto: amoeba@...>> wrote:
>
> Gary,
>
> I am seeing the exact same traffic pattern & attempts as of
> ~10:20pm PST:
> Single attempts to remote root ssh from disparate IP's with few
> (if any)
> repeated source location. So now we have a sample size of 2 :)
>
> When I saw this hitting my servers last night I thought it an odd
> attack
> pattern but surmised it was either a targeted slow attack with
> spoofed IP's
> or a "slow roll" botnet using throttled connects to try flying
> under the
> radar for alerting. I was leaning toward the latter and even more
> so now
> that I see my organization isn't the only one.
>
> Just block root ssh and apply a source IP whitelist for valid non-root
> allows if you require remote ssh for day to day. I consider it bad
> security
> practice to allow remote root ssh anyway. People should use user
> accounts
> and a sane sudoers config instead.
>
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba@... <mailto: amoeba@...>
> "Do Not Taunt Happy-Fun Ball"
>
>
>
> -----Original Message-----
> From: Gary Baribault [mailto: gary@...
> <mailto: gary@...>]
> Sent: Wednesday, May 07, 2008 5:27 AM
> To: incidents@... <mailto: incidents@...>
> Subject: Weird SSH attack last night and this morning (still ongoing)
>
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and
> another
> on a static IP/commercial connection and this last one is a
> gateway to a
> Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75
> attempts .. from known compromised adresses .. The log shows
> (obviously) that there where even more attempts from adresses that are
> unknown to DenyHosts but there was only one login attemps per
> adress and
> it was with the Root account .. which is obviously blocked in my sshd
> config ..
>
> Of the three machines, one of them only had about 10 attempts, but the
> other two had about 200 attempts .. all of them with only 1 try
> with the
> user Root ..
>
> Is any one else seing this? or am I being targeted? This is still
> going
> on now .. and it started arround 10:00 last night GMT+4
>
> --
> Gary Baribault
> Courriel: gary@... <mailto: gary@...>
> GPG Key: 0x4346F013
> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>
>
>
>
> --
> -- Darren Bolding --
> -- darren@... <mailto: darren@...> --
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
On Wed, 07 May 2008 08:27:15 -0400
Gary Baribault < gary@...> wrote:
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and another
> on a static IP/commercial connection and this last one is a gateway to a
> Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> Of the three machines, one of them only had about 10 attempts, but the
> other two had about 200 attempts .. all of them with only 1 try with the
> user Root ..
>
> Is any one else seing this? or am I being targeted? This is still going
> on now .. and it started arround 10:00 last night GMT+4
These aren't related to the recent openssh advisory for debian based
distros ? [USN-612-2] OpenSSH vulnerability
A bot looking for debian based servers with weak ssh keys ?
Just a thought.
-
Regards
Mick Pollard ( lunix )
------------------------------------------------
BOFH Excuse of the day:
Extraneous Parity Interrupt
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
I doubt it, that's a man in the middle attack if I understood, this is a
kind of distributed brute force and as I said in a more recent post,
they are no longer only trying Root, but are using a list of alphabetic
logins so it has evolved.
Gary B
Mick Pollard wrote:
> On Wed, 07 May 2008 08:27:15 -0400
> Gary Baribault < gary@...> wrote:
>
> > I don't know what is going on last night and this morning ... I have
> > three Linux servers facing the Internet, two on cable modems and another
> > on a static IP/commercial connection and this last one is a gateway to a
> > Web/FTP/SMTP/Pop3/NTP Linux based system.
> >
>
> > Of the three machines, one of them only had about 10 attempts, but the
> > other two had about 200 attempts .. all of them with only 1 try with the
> > user Root ..
> >
> > Is any one else seing this? or am I being targeted? This is still going
> > on now .. and it started arround 10:00 last night GMT+4
> These aren't related to the recent openssh advisory for debian based
> distros ? [USN-612-2] OpenSSH vulnerability
> A bot looking for debian based servers with weak ssh keys ?
> Just a thought.
>
> -
> Regards
> Mick Pollard ( lunix )
> ------------------------------------------------
> BOFH Excuse of the day:
> Extraneous Parity Interrupt
>
>
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
On Wed, 14 May 2008 19:05:21 EDT, Gary Baribault said:
> I doubt it, that's a man in the middle attack if I understood, this is a
> kind of distributed brute force and as I said in a more recent post,
No, the Debian OpenSSH vuln isn't a MITM attack (although it could be used
as *part* of one). The problem is that rather than trillions upon trillions
of possible keys, it would only generate one of some 2^18 keys, making the
brute forcing much easier (if you had a botnet of 10,000 bots, you could
break a weak key with an average of only 13 probes per bot, as opposed to
the several million year's worth of probes it should have taken).
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
On Fri, 16 May 2008 01:17:48 BST, Alex Howells said:
> > of possible keys, it would only generate one of some 2^18 keys, making the
> > brute forcing much easier (if you had a botnet of 10,000 bots, you could
> > break a weak key with an average of only 13 probes per bot, as opposed to
> > the several million year's worth of probes it should have taken).
>
> I'm somewhat curious where you get the 2**18 number, all reasonable
> analysis seems to conclude it is actually 2**15 -- although if you
I cheated and looked at the tester that got released, it had 2**18 - 4
keys it checked for (and a quick look at the 4 missing spots shows that those
would likely have been discarded as "weak" keys - stuff like all-zeros, etc).
|
|
Re: Weird SSH attack last night and this morning (still ongoing)
On Fri, 16 May 2008 17:19:16 EDT, dxp said:
> Correction, one would only need to generate the amount of keys which
> would equal the size of maximum PID value on Linux based system
> (PID_MAX_DEFAULT). That equals to 32768 (2^15) on 32bit platform or
> more precisely on LP32 data model systems.
That would be very nice, except that many of us are on 64-bit platforms
and can set /proc/sys/kernel/pid_max much higher. include/linux/threads.h says:
/*
* This controls the default maximum pid allocated to a process
*/
#define PID_MAX_DEFAULT (CONFIG_BASE_SMALL ? 0x1000 : 0x8000)
/*
* A maximum of 4 million PIDs should be enough for a while.
* [NOTE: PID/TIDs are limited to 2^29 ~= 500+ million, see futex.h.]
*/
#define PID_MAX_LIMIT (CONFIG_BASE_SMALL ? PAGE_SIZE * 8 : (sizeof(long) > 4 ? 4 * 1024 * 1024 : PID_MAX_DEFAULT))
|
attachment0 (234 bytes) 