Security Incidents mailing list archives
Re: SSH bruteforce on its way...
From: Daniel Cid <danielcid () yahoo com br>
Date: Wed, 26 Oct 2005 18:28:12 -0300 (ART)
Another idea is to use some kind of HIDS with log analysis. I like the OSSEC HIDS (self promotion :) ), because it does log analysis, integrity checking and rootkit detection (http://www.ossec.net/hids)... Recently I had a problem with SSH brute force , and an alert like the following e-mail is very useful... OSSEC HIDS Notification. 2005 Oct 13 18:29:41 Received From: /var/log/auth.log Rule: 404 fired (level 10) -> "Attempt to login using a non-existent user" Portion of the log(s): "sshd[26512]: Invalid user yyy from x.x.x.x " --END OF NOTIFICATION OSSEC HIDS Notification. 2005 Oct 13 18:29:41 Received From: /var/log/auth.log Rule: 408 fired (level 13) -> "SSHD brute force trying to get access to the system" Portion of the log(s): "sshd[26510]: Invalid user db2as from x.x.x.x sshd[26512]: Invalid user rwa from x.x.x.x sshd[26504]: Invalid user ro from x.x.x.x sshd[26502]: Invalid user db2fenc1 from x.x.x.x sshd[26496]: Invalid user swift from x.x.x.x sshd[26498]: Invalid user db2as from x.x.x.x sshd[26489]: Invalid user db2fenc1 from x.x.x.x sshd[26486]: Invalid user n3ssus from x.x.x.x sshd[26483]: Invalid user bash from x.x.x.x " --END OF NOTIFICATION Hope it helps.. -- Daniel B. Cid, CISSP daniel.cid@ (at )gmail.com --- Russell Fulton <r.fulton () auckland ac nz> escreveu:
Justin wrote:Jouser, Nah, there were some exploits a while back thattook advanteage insome timing flaws in the SSHd that let attackersdetermin validusernames.Would you please provide some supporting references. I can not find any evidence of existing timing attacks against openssh. In fact Openssh goes to some trouble to defeat such attacks. While on this thread, one effective counter measure against brute force password attacks is to use decent passwords which everyone should be doing anyway. We have lost about 3 systems here to ssh brute force attacks and in all cases the systems were in serious breach of our policies (which are not particularly draconian). In one case I did feel a bit sorry for the victims, they had installed a third party package that created an account with an insecure password and they never noticed. A good case for simple monitoring script like the one that is run nightly on OBSD system that warns you about changes in critical files. Russell.peace, --Justin On 21 Oct 2005 18:05:27 -0000, jouser () gmail com<jouser () gmail com> wrote:I didn't think it was possible to determine validusernames by themselves? You either have a valid username AND password or not.
_______________________________________________________ Promoção Yahoo! Acesso Grátis: a cada hora navegada você acumula cupons e concorre a mais de 500 prêmios! Participe! http://yahoo.fbiz.com.br/
Current thread:
- SSH bruteforce on its way... Volker Tanger (Oct 19)
- Re: SSH bruteforce on its way... Paul Robertson (Oct 24)
- Re: [incidents] Re: SSH bruteforce on its way... Tim Kennedy (Oct 24)
- <Possible follow-ups>
- Re: SSH bruteforce on its way... foxxz . net (Oct 24)
- Re: SSH bruteforce on its way... jouser (Oct 24)
- Re: SSH bruteforce on its way... Justin (Oct 24)
- Re: SSH bruteforce on its way... Russell Fulton (Oct 25)
- Re: SSH bruteforce on its way... Valdis . Kletnieks (Oct 26)
- Re: SSH bruteforce on its way... Kurt Seifried (Oct 26)
- Re: SSH bruteforce on its way... Justin (Oct 26)
- Re: SSH bruteforce on its way... Daniel Cid (Oct 26)
- Re: SSH bruteforce on its way... Justin (Oct 24)
- Re: SSH bruteforce on its way... Valdis . Kletnieks (Oct 25)
- Re: SSH bruteforce on its way... Paul Robertson (Oct 24)
- Re: SSH bruteforce on its way... Michael . Lang (Oct 25)
- Re: SSH bruteforce on its way... Javier Fernandez-Sanguino (Oct 26)
- Re: SSH bruteforce on its way... Volker Tanger (Oct 26)
- SNMP worm? David Gillett (Oct 26)
- Re: SNMP worm? Mark Ryan del Moral Talabis (Oct 26)
- RE: SNMP worm? David Gutierrez (Oct 26)
- Re: SSH bruteforce on its way... Christine Kronberg (Oct 31)
- Re: SSH bruteforce on its way... Javier Fernandez-Sanguino (Oct 26)
- Re: SSH bruteforce on its way... Lionel Ferette (Oct 26)
- Re: SSH bruteforce on its way... Michael Lang (Oct 26)