Security Incidents mailing list archives

SSH bruteforce on its way...

From: Volker Tanger <vtlists () wyae de>
Date: Wed, 19 Oct 2005 21:47:10 +0200

Greetings!

In the last days I observed a rising number of SSH bruteforce attempts
against my servers, trying to find valid user names. One distiguishing
feature is a typo in the used names: "deutch" (instead of "deutsch",
which is directly following its english translation "german"). It seems
to work in 3 phases: a portscan, followed half a day later with a user
name scan, which probably(*) followed by a passwort attack against 
harvested user names.

From what I was told the bot installs files into /var/tmp/.bash/, among

them an IRC-Bouncer. Entry to the infected system was gained via a
successful SSH bruteforcing. (Un)fortunately I have to rely on
second-hand reports on this worm, as I only have seen SSH bruteforce
attempts increasing quite noticably on the last few days.


My recommendations to discourage/prevent this SSH bruteforcing:

1.) Use key authentication and disable plain password logins. This 
    way password bruteforcing itself is practically impossible. 

2.) Running SSH on a port NOT tcp/22 - okay, that's just obfuscation, 
    but false connects/scans dropped from a some attacking hosts an 
    hour to zero.

3.) Another possibility to prevent (or at least: seriously delay)
    bruteforcing to be done successfully is to inhibit multiple 
    connects within a given timeframe. See
    http://www.debian-administration.org/articles/187

4.) And of course: monitoring! Especially for illegal user logins or
    unsuccessful passwords.


On the other side: has anyone been infected and/or had the chance to
inspect the rootkit and/or the aims the people running the botnet try 
to achieve?

Thanks

Volker


(*) Well, I was myself not affected, but often saw the connects. Alas
    only the first few ones before the transgressors were shut out for 
    a few hours (see recommendation 3)...   ;-)

-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists () wyae de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

Current thread:

SSH bruteforce on its way... Volker Tanger (Oct 19)
- Re: SSH bruteforce on its way... Paul Robertson (Oct 24)
  - Re: [incidents] Re: SSH bruteforce on its way... Tim Kennedy (Oct 24)
- <Possible follow-ups>
- Re: SSH bruteforce on its way... foxxz . net (Oct 24)
- Re: SSH bruteforce on its way... jouser (Oct 24)
  - Re: SSH bruteforce on its way... Justin (Oct 24)
    - Re: SSH bruteforce on its way... Russell Fulton (Oct 25)
    - Re: SSH bruteforce on its way... Valdis . Kletnieks (Oct 26)
    - Re: SSH bruteforce on its way... Kurt Seifried (Oct 26)
    - Re: SSH bruteforce on its way... Justin (Oct 26)
    - Re: SSH bruteforce on its way... Daniel Cid (Oct 26)

(Thread continues...)