Security Basics mailing list archives
Re: SSH server under attack...
From: Juan Hernandez <hvjuan () kanux com>
Date: Thu, 26 Jan 2006 11:51:54 -0400
Hey there...What if there is some 'automated daemon' running thru the logs and once it sees an ip address doing this, add a chain to iptables?
I did this in python about a year ago, reading the logs once every hour -cron process- and if someone tries to log with at least 5 diffent users, it adds a chain to my iptables settings and that's it, the attacker is blocked
Also, there are many open source tools that might do a similar task Juan Isaac Perez wrote:
All of your users connect by ssh?If only admins need to connect you can change the configuration to only allow one ssh user to connect, with a extrange name. At least you will be sure that the user never will be in a common list.And after you can su to the user you want.Alsoo you can contact to the ISP of the servers that attacks you, I do that, and sometimes works. Alsoo you can configure tcpwrapers,or any software similar, to close and discard any connection when a ip try to connect so many times.En/na Dave ha escrit:My SSH server has been under DoS and I cant stop it!!! I changed the port of the SSH server from 22 to 2222. This isnt going to really do much but it would stop some automated script that attacks port 22. OK...within a few hours the server was being attacked again on port 2222. This is an *active* attacker, active in that he is actively monitoring what he is doing. The router/firewall logs dont show any dropped packets sent to port 22 so he changed the port of the attack script. Now, the new machine to attack me is 200.55.192.29. This belongs to a company in south america called 'Springs South America Textiles Ltda.'. I scanned the machine and found that it is hosting a webserver (Apache/2.0.52 (Fedora) Server at www.springs.cl) among other services. The last machine the attacker used to brute_force me was also an apache server (rh linux). So this attacker is cracking various webservers (most likely) or some other service on these boxes in order to use these machines as an attack platform. Now, yes, i notified the admin of this company etc..but think of this. If this admin is going to put an *unused* and unprotected server on the net then what kind of admin is he? Will he even care about my email? Who knows! Calling the authorities is not going to work 'cause frankly I am a nobody...who cares if my servers are under attack! No one is going to waste resource (money) in trying to find this guy, so really its up to me. So what do we know about this guy? At first the info seems conflicting: He has the ability to crack a number of random servers and use them at his disposal but he is running the same stupid attack over and over...why? First off, the attack is a brute force attack. He is trying to guess a username password combo in order to be able to log into my server and get shell access...but maybe not. Like I said..he is no dummy. So what is he doing? I think DoS (denial of service) , the brute force tool is just the means to an end. He isnt trying to break in by doing this. Maybe he coudnt break in to my server so he is resorting to the next trick up his sleeve. By having all these machines attempting to log into my server over and over he might be trying to use up my bandwidth in effect causing a DoS to anyone! OR...In closely looking at the logs you will notice something *unusual*: Failed password for invalid user admin from ::ffff:200.55.192.29 port 34182 ssh2 Invalid user admin from ::ffff:200.55.192.29 Failed password for invalid user admin from ::ffff:200.55.192.29 port 34679 ssh2 Invalid user admin from ::ffff:200.55.192.29 Failed password for invalid user admin from ::ffff:200.55.192.29 port 34752 ssh2 Invalid user administrator from ::ffff:200.55.192.29 Failed password for invalid user administrator from ::ffff:200.55.192.29 port 35253 ssh2 Invalid user administrator from ::ffff:200.55.192.29 Failed password for invalid user administrator from ::ffff:200.55.192.29 port 35735 ssh2 Invalid user administrator from ::ffff:200.55.192.29 Failed password for invalid user administrator from ::ffff:200.55.192.29 port 36237 ssh2 Invalid user tads from ::ffff:200.55.192.29 Failed password for invalid user tads from ::ffff:200.55.192.29 port 36703 ssh2 Invalid user tads from ::ffff:200.55.192.29 Failed password for invalid user tads from ::ffff:200.55.192.29 port 36813 ssh2 Invalid user tads from ::ffff:200.55.192.29 Failed password for invalid user tads from ::ffff:200.55.192.29 port 37332 ssh2 Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid user tip from ::ffff:200.55.192.29 port 37820 ssh2 Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid user tip from ::ffff:200.55.192.29 port 38267 ssh2 Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid user tip from ::ffff:200.55.192.29 port 38757 ssh2 Invalid user myra from ::ffff:200.55.192.29 Failed password for invalid user myra from ::ffff:200.55.192.29 port 38844 ssh2 Invalid user myra from ::ffff:200.55.192.29 Failed password for invalid user myra from ::ffff:200.55.192.29 port 39333 ssh2 Invalid user myra from ::ffff:200.55.192.29 Failed password for invalid user myra from ::ffff:200.55.192.29 port 39812 ssh2 Invalid user jack from ::ffff:200.55.192.29 Failed password for invalid user jack from ::ffff:200.55.192.29 port 40312 ssh2 Invalid user jack from ::ffff:200.55.192.29 Failed password for invalid user jack from ::ffff:200.55.192.29 port 40787 ssh2 Invalid user jack from ::ffff:200.55.192.29 Failed password for invalid user jack from ::ffff:200.55.192.29 port 40893 ssh2 Invalid user sya from ::ffff:200.55.192.29 Each user name was tried three times. What does this mean...I dont know but right off hand I would guess that he is trying to lock out legit user accounts. You see some servers will disallow a user to log in if they entered three wrong passwords. This, strangely enough, is used to help stop brute forcing!!! Anyway, The attacker has put together a list of *potential* user names that *might* be found on my server and is attempting to lock them out...in effect creating a DoS to any users whose names appear on this list. He also knew right away when I changed the sshd port number and wasted no time in getting another machine to attack me via this port! Authorities arent going to help...Servers admin prob doesnt care plus the attacker most likely has access to any number of servers so writing the abuse lines could be a daily chore just to keep up...any recommendations? Any help / comments / flames appreciated take it easy... dave---------------------------------------------------------------------------EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.http://www.msia.norwich.edu/secfocus------------------------------------------------------------------------------------------------------------------------------------------------------EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- SSH server under attack... Dave (Jan 24)
- Message not available
- Re: SSH server under attack... Dave (Jan 25)
- Message not available
- Re: SSH server under attack... Josh Chaney (Jan 25)
- Re: SSH server under attack... Edward Krack (Jan 25)
- Re: SSH server under attack... Isaac Perez (Jan 25)
- Re: SSH server under attack... Juan Hernandez (Jan 29)
- Message not available
- Re: SSH server under attack... Dave (Jan 25)
- Re: SSH server under attack... Bryan S. Sampsel (Jan 26)
- Re: SSH server under attack... Dave (Jan 25)
- Re: SSH server under attack... Robert Larsen (Jan 25)
- Re: SSH server under attack... Ansgar -59cobalt- Wiechers (Jan 26)
- Re: SSH server under attack... Rembrandt (Jan 26)
- Re: SSH server under attack... Jason Mitchell (Jan 25)
- Re: SSH server under attack... Teemu A. (Jan 26)
- Re: SSH server under attack... ilaiy (Jan 25)
- RE: SSH server under attack... Matt Cunnane (Jan 26)
- Re: SSH server under attack... Frankie Li (Jan 26)