[unisog] step up in SSH scanning starting today?
Paul FM
paulfm at me.umn.edu
Tue May 13 13:44:43 GMT 2008
The targets are anything with a fast network connection (the faster the
connection - the more valuable the target). Many of these attacks are to
set up control machines for botnets (most of the botnets are controlled from
Unix/Linux machines). And remember - THIS IS MOSTLY ORGANIZED CRIME
(Mafia's/Gangs) doing this stuff (they hire highly skilled hackers). SPAM is
big money.
There has been a constant attack like this on anything running ssh for the
last more than two years. More that 50% of the time - they are attempting to
break into default accounts (admin, guest, lp, etc), or other common user
accounts. I have seen an Elementary School Web site as the source of this
sort of attack (most of the attacks are from other machines which have
already been compromised).
To reduce the attacks (at home) I use XINETD (tcp wrap compiled in) to start
ssh (slows down the startup to several seconds for each connection - which is
good) and my /etc/hosts.allow file has these entries (not the complete file):
ALL : 127.0.0.1 : allow
# We don't want ssh dependant on DNS lookups to work from my internal network
sshd : 192.168.0. : allow
ALL : PARANOID : RFC931 20 : deny
sshd : .{bad-domain-1}.net : deny
sshd : .{bad-domain-2}.com : deny
sshd : .{bad-domain-3}.com : deny
sshd : .edu .com .net .us : allow
# Deny everything else
ALL : ALL : RFC931 20 : deny
The important line is the last allow (I don't tend to hang out at .gov
sites). This has caused nearly 80% of the attacking machines to be denied a
connection (and all of those since midnight last night). And I am still able
to connect to it from anywhere I would use it. You will note 3 domains added
in (I had a lot of attacks from those domains - and since I don't intend to
ssh in from there - it was easiest to just block them - I changed the names
to protect the guilty).
If you run a large network (if you have a router or firewall) - consider
limiting incoming ssh connections to a few well maintained "GATEWAY" machines
and blocking the rest - a lot of people run ssh without understanding the
security ramifications (too many people with Macs turn on ssh, and so do
people with linux/unix who don't know what they are doing - then there are
the scary people who install ssh on a windows machine - and don't know how to
securely configure it). ssh is only as secure as it is configured to be
(and the defaults are only moderately secure) - and if you allow password
authentication, then the passwords of ALL accounts have to be secure.
Scott Fendley wrote:
> Personally, I think there is some targeting going on, but not sure about
> how the attackers are choosing their targets yet.
>
> Locally I have seen a limited increase, but am seeing more and more people
> talking about it in the past week.
>
> Scott
>
> On Mon, 12 May 2008, Gaddis, Jeremy L. wrote:
>
>> On Mon, May 12, 2008 at 4:40 PM, Tom Perrine <tperrine at scea.com> wrote:
>>> Anyone else see a significant rise in SSH dictionary attacks, especially
>>> from .KR?
>> [snip]
>>
>>> What's the consensus? Isolated or major ramp-up?
>> http://isc.sans.org/diary.html?storyid=4408&rss
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
--
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s). The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------
More information about the unisog
mailing list