Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH bruteforce on its way...

From: Daniel Cid <danielcid () yahoo com br>
Date: Wed, 26 Oct 2005 18:28:12 -0300 (ART)
Another idea is to use some kind of HIDS with log
analysis. I like the OSSEC HIDS (self promotion :) ),
because it does log analysis, integrity checking and
rootkit detection (http://www.ossec.net/hids)...

Recently I had a problem with SSH brute force , and an
alert like the following e-mail is very useful...


OSSEC HIDS Notification.
2005 Oct 13 18:29:41

Received From: /var/log/auth.log
Rule: 404 fired (level 10) -> "Attempt to login using
a non-existent user"
Portion of the log(s):

"sshd[26512]: Invalid user yyy from x.x.x.x
"

 --END OF NOTIFICATION



OSSEC HIDS Notification.
2005 Oct 13 18:29:41

Received From: /var/log/auth.log
Rule: 408 fired (level 13) -> "SSHD brute force trying
to get access to the system"
Portion of the log(s):

"sshd[26510]: Invalid user db2as from x.x.x.x
sshd[26512]: Invalid user rwa from x.x.x.x
sshd[26504]: Invalid user ro from x.x.x.x
sshd[26502]: Invalid user db2fenc1 from x.x.x.x 
sshd[26496]: Invalid user swift from x.x.x.x
sshd[26498]: Invalid user db2as from x.x.x.x
sshd[26489]: Invalid user db2fenc1 from x.x.x.x
sshd[26486]: Invalid user n3ssus from x.x.x.x
sshd[26483]: Invalid user bash from x.x.x.x
"

 --END OF NOTIFICATION


Hope it helps..

--
Daniel B. Cid, CISSP
daniel.cid@ (at )gmail.com


--- Russell Fulton <r.fulton () auckland ac nz> escreveu:




Justin wrote:

Jouser,

Nah, there were some exploits a while back that

took advanteage in

some timing flaws in the SSHd that let attackers

determin valid

usernames.

Would you please provide some supporting references.
 I can not find any
evidence of existing timing attacks against openssh.
 In fact Openssh
goes to some trouble to defeat such attacks.

While on this thread, one effective counter measure
against brute force
password attacks is to use decent passwords which
everyone should be
doing anyway.  We have lost about 3 systems here to
ssh brute force
attacks and in all cases the systems were in serious
breach of our
policies (which are not particularly draconian).

In one case I did feel a bit sorry for the victims,
they had installed a
third party package that created an account with an
insecure password
and they never noticed.  A good case for simple
monitoring script like
the one that is run nightly on OBSD system that
warns you about changes
in critical files.

Russell.



peace,
--Justin

On 21 Oct 2005 18:05:27 -0000, jouser () gmail com

<jouser () gmail com> wrote:



I didn't think it was possible to determine valid

usernames by themselves?  You either have a valid
username AND password or not.








        



        
                
_______________________________________________________ 
Promoção Yahoo! Acesso Grátis: a cada hora navegada você
acumula cupons e concorre a mais de 500 prêmios! Participe!
http://yahoo.fbiz.com.br/
Previous By Date Next
Previous By Thread Next

Current thread: