Security Basics mailing list archives

Re: SSH server under attack...

From: Daniel Cid <danielcid () yahoo com br>
Date: Fri, 10 Feb 2006 12:48:01 -0300 (ART)

Take a look at the OSSEC HIDS. It analyses sshd logs,
firewall logs, ids logs, etc. It execute responses
based on the rules, so you can block automated scans
(via iptables ,ipfilter, hosts.deny, etc).
It also performs integrity checking and rootkit
detection.. 

More info: http://www.ossec.net/hids/

Thanks,

Daniel B. Cid

--- Juan Hernandez <hvjuan () kanux com> escreveu:

Hey there...

What if there is some 'automated daemon' running
thru the logs and once 
it sees an ip address doing this, add a chain to
iptables?

I did this in python about a year ago, reading the
logs once every hour 
-cron process- and if someone tries to log with at
least 5 diffent 
users, it adds a chain to my iptables settings and
that's it, the 
attacker is blocked

Also, there are many open source tools that might do
a similar task

Juan

Isaac Perez wrote:

All of your users connect by ssh?
If only admins need to connect you can change the

configuration to

only allow one ssh user to connect, with a

extrange name. At least you

will be sure that the user never will be in a

common list.

And after you can su to the user you want.
Alsoo you can contact to the ISP of the servers

that attacks you, I do

that, and sometimes works.
Alsoo you can configure tcpwrapers,or any software

similar, to close

and discard any connection when a ip try to

connect so many times.


En/na Dave ha escrit:

My SSH server has been under DoS and I cant stop

it!!!


I changed the port of the SSH server from 22 to

2222. This isnt going to

really do much but it would stop some automated

script that attacks port

22. OK...within a few hours the server was being

attacked again on port

2222. This is an *active* attacker, active in

that he is actively

monitoring what he is doing. The router/firewall

logs dont show any

dropped packets sent to port 22 so he changed the

port of the attack

script. Now, the new machine to attack me is

200.55.192.29. This belongs

to a company in south america called 'Springs

South America Textiles

Ltda.'. I scanned the machine and found that it

is hosting a webserver

(Apache/2.0.52 (Fedora) Server at www.springs.cl)

among other services.

The last machine the attacker used to brute_force

me was also an apache

server (rh linux). So this attacker is cracking

various webservers (most

likely) or some other service on these boxes in

order to use these

machines as an attack platform. Now, yes, i

notified the admin of this

company etc..but think of this. If this admin is

going to put an

*unused* and unprotected server on the net then

what kind of admin is

he? Will he even care about my email? Who knows!

Calling the authorities

is not going to work 'cause frankly I am a

nobody...who cares if my

servers are under attack! No one is going to

waste resource (money) in

trying to find this guy, so really its up to me.

So what do we know

about this guy? At first the info seems

conflicting: He has the ability

to crack a number of random servers and use them

at his disposal but he

is running the same stupid attack over and

over...why? First off, the

attack is a brute force attack. He is trying to

guess a username

password combo in order to be able to log into my

server and get shell

access...but maybe not. Like I said..he is no

dummy. So what is he

doing? I think DoS (denial of service) , the

brute force tool is just

the means to an end. He isnt trying to break in

by doing this. Maybe he

coudnt break in to my server so he is resorting

to the next trick up his

sleeve. By having all these machines attempting

to log into my server

over and over he might be trying to use up my

bandwidth in effect

causing a DoS to anyone! OR...In closely looking

at the logs you will

notice something *unusual*:

Failed password for invalid user admin from

::ffff:200.55.192.29 port

34182 ssh2
Invalid user admin from ::ffff:200.55.192.29
Failed password for invalid user admin from

::ffff:200.55.192.29 port

34679 ssh2
Invalid user admin from ::ffff:200.55.192.29
Failed password for invalid user admin from

::ffff:200.55.192.29 port

34752 ssh2
Invalid user administrator from

::ffff:200.55.192.29

Failed password for invalid user administrator

from ::ffff:200.55.192.29

port 35253 ssh2
Invalid user administrator from

::ffff:200.55.192.29

Failed password for invalid user administrator

from ::ffff:200.55.192.29

port 35735 ssh2
Invalid user administrator from

::ffff:200.55.192.29

Failed password for invalid user administrator

from ::ffff:200.55.192.29

port 36237 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from

::ffff:200.55.192.29 port

36703 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from

::ffff:200.55.192.29 port

36813 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from

::ffff:200.55.192.29 port

37332 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from

::ffff:200.55.192.29 port

37820 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from

::ffff:200.55.192.29 port

38267 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from

::ffff:200.55.192.29 port

38757 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from

::ffff:200.55.192.29 port

38844 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from

::ffff:200.55.192.29 port

39333 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from

::ffff:200.55.192.29 port

39812 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from

::ffff:200.55.192.29 port

40312 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from

::ffff:200.55.192.29 port

40787 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from

::ffff:200.55.192.29 port

40893 ssh2
Invalid user sya from ::ffff:200.55.192.29


Each user name was tried three times. What does

this

mean...I dont know but right off hand I would

guess that he is trying to

lock out legit user accounts. You see some

servers will disallow a user

to log in if they entered three wrong passwords.

This, strangely enough,

is used to help stop brute forcing!!! Anyway, The

attacker has put

together a list of *potential* user names that

*might* be found on my

server and is attempting to lock them out...in

effect creating a DoS to

any users whose names appear on this list.

=== message truncated ===



        



        
                
_______________________________________________________ 
Yahoo! doce lar. Faça do Yahoo! sua homepage. 
http://br.yahoo.com/homepageset.html 


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: SSH server under attack... Matt Alexander (Feb 01)
- Re: SSH server under attack... Matt Smith (Feb 01)
- <Possible follow-ups>
- Re: SSH server under attack... Daniel Cid (Feb 10)