[Intrusions] brute force attack - tcp wrappers andiptablesnot helping?

Smith, Donald Donald.Smith at qwest.com
Wed Apr 27 17:09:14 GMT 2005 

We have seen reverse dns return localhost. I theorized this might get
past systems the first do a reverse ip lookup then use the NAME to
decide if the system is allowed.
If you filter said localhost (not ip based) it might be fooled by this
method.


donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne Hemker
> Sent: Wednesday, April 27, 2005 9:26 AM
> To: intrusions at lists.sans.org
> Subject: RE: [Intrusions] brute force attack - tcp wrappers 
> andiptablesnot helping?
> 
> 
> Hi Donald,
> the reverse lookup on the IP work fine (I used dig -x). It is 
> mostly private homepages and I doubt that those people are 
> really trying to attack the workstation, it is more likely 
> that they have been hacked into already. They thing I really 
> want to know is, how did they get to the ssh login in the 
> first place? I understood all the things you guy suggested on 
> how to secure my workstation, but I am just curios how they 
> got past the tcp wrapper. Thanks, Susanne 
> 
> >>> Donald.Smith at qwest.com 04/27/05 9:57 AM >>>
> A few questions/comments inline below.
> 
> donald.smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne
> Hemker
> > Sent: Tuesday, April 26, 2005 8:08 AM
> > To: intrusions at lists.sans.org
> > Subject: RE: [Intrusions] brute force attack - tcp wrappers 
> > andiptables not helping?
> > 
> > 
> > Hi everybody,
> > thanks for your suggestions and sorry I did not get back to
> > you earlier. 
> > 1) I tried to ssh from a host that is not on in my 
> > /etc/hosts.allow and I do not get an ssh login, only : 
> > ssh_exchange_identification: Connection closed by remote host. 
> 
> Which means you completed a tcp 3 way handshake but were 
> refused by the sshd ( probably tcp wrappers not ip tables)! 
> ip tables should have refused the connection before the 
> threeway handshake was completed.
> 
> > 2) The attacks come from different machines, some in Asia and
> > some in the U.S., but those look to me as if they were hacked 
> > already in and are used to attack other computers. None of 
> > those IPs are in any way allowed to log onto my workstation. 
> 
> What are those IPs and what does your dns resolver return 
> when you ask for a reverse ip lookup? With all the dns 
> poisoning, hijacking etc there may be a way to trick your 
> filters depending on the return hostname for that reverse ip lookup.
> 
> 
> > 3) In the Iptables I have everything from the outside set to
> > REJECT (both IPv4 and IPv6).
> > 4) My "inside" hosts are on two subnets and those are listed 
> > in the /etc/hosts.allow and set to" ACCEPT all" in the Iptables
> > 5) I do not have the hosts listed in the sshd_config, perhaps 
> > I should change this and also change the authentication 
> > method (which is PasswordAuthentication right now) Any 
> > further suggestions on how they might have gotten to the 
> > ssh-login? Thanks, Susanne
> >  
> > >>> Twalraven at counterpane.com 04/22/05 9:38 AM >>>
> > Susanne, I see your concern.  Properly configured IPTables
> > rules and TCPWrappers should prevent this.  Have you actually 
> > attempted to access the ssh service from a host outside of 
> > the lab yourself?
> > 
> > Tim Walraven,CISSP,CISM,CISA
> > Counterpane Internet Security
> > 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Susanne
> Hemker
> > Sent: Thursday, April 21, 2005 10:24 AM
> > To: intrusions at lists.sans.org
> > Subject: [Intrusions] brute force attack - tcp wrappers and 
> > iptables nothelping?
> > 
> > Hi everybody,
> > 
> > somebody is trying to break into one of out workstations.
> > The /var/log/secure contains lots of:
> > 
> >  Failed password for invalid user $name  from ::ffff:$IP
> > port $port ssh2
> > 
> > from different IPs, ports and usernames.
> > 
> > Since the tcp wrappers and the iptables should not allow ssh
> > login from
> > 
> > any host outside our lab, I am wondering how he/she even got to the
> > login. Any suggestions?
> > 
> > Thanks,
> > 
> > Susanne
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org 
> > http://www.dshield.org/mailman/listinfo/intrusions 
> > 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/intrusions
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list