[Intrusions] SSH brute forcing attacks

Smith, Donald Donald.Smith at qwest.com
Tue May 17 14:10:51 GMT 2005 

The list of usernames and passwords has grown VERY large.
The last list I saw had 3400+ passwords.
The handlers had several short write-ups on this including various
mitigation techniques.



donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Andrew Daviel
> Sent: Tuesday, May 17, 2005 3:18 AM
> To: intrusions at incidents.org
> Subject: [Intrusions] SSH brute forcing attacks
> 
> 
> 
> FYI
> 
> A year of so ago we saw an SSH brute-forcing attack that seemed to
> try test/test, guest/guest and a couple of others against machines.
> And yes we had a machine set up for casual use with guest/guest ...
> 
> More recently we have seen more exhaustive dictionary attacks, with
> multiple attempts against root and random names for unprivileged
> accounts. Since the traffic is encrypted, and sshd does not log the
> password, I don't know what was being tried (hacked version 
> for honeypot
> required ??)
> 
> I had not initially thought that this was a significant threat, since
> sshd will not allow rapid retries and hopefully hundreds of 
> thousands of
> guesses would be required to hit a reasonably strong password.
> 
> However, this assumption may not be valid ... I think we have 
> had maybe
> 3 machines compromised in this way, from attacks running for weeks or
> months against hundreds of machines.
> 
> SInce we have, generally speaking, a need for legitimate 
> access for users
> around the world from home, travelling or working at other 
> institutions
> we allow SSH access to most non-sensitive machines.
> However, in view of these attacks I have implemented a dynamic filter
> via system-wide logging - multiple login failures across monitored
> machines will result in the source being blocked.
> 
> -- 
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> security at triumf.ca
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list