[Dshield] SSH Scans & Premade Kits

Dom De Vitto dom at devitto.com
Sat Mar 19 18:20:07 GMT 2005

Hmmm, my additions/thoughts:

Use the system-wide ssh (client) config file to set the port for the hosts
you've change the port for --> so users don't need the -p stuff.

Better, run another SSHD on random high port but bound to only
Used with the above port jiggery, this works as usual for "users", but now
only local users can access the application layer.
Smart people with automatic system info gathering bots can login as a low
priv user, and have that user only be able to run ssh root at localhost.  See
authorized_keeys for details.

Never liked this option - chmod a=w / locks you out :-( I always set to
"no", but it depends on your user environment (hostile students, your family

Layered security.
1) do you need to use a routable address for SSH management?
2) Packet Filter from all but where you expect connections.
3) layer-7 IP filtering (hosts.allow etc.)
4) Only allow certain users, as below.
5) Only allow pub key auth.
6) don't permit ssh agent forwarding by default, define exceptions.
7) Decide where the safest place for your (encrypted) public keys are:
User desktops/laptops? Central servers? Your call, but I'd recommend on the
stuff right up close to the user.  Compromise there is "end of game" anyway
:-(  The ssh private keys should only exist in ONE place, and then
agent-forwarded through to where you want to go.
8) StrictHostKeyChecking should be 'yes', go around collecting the host
keys, and put them in the global host key file.  If users never see the new
hostkey prompt they will not get used to hitting "yes".  Which reduced the
chance of them doing it do the "This host has changed keys" message.


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of jayjwa
Sent: 19 March 2005 03:50
To: Dshield Mail List
Subject: [Dshield] SSH Scans & Premade Kits

So, this is how those little SOB's have been finding SSH's to scan. Anyone 
wonder why these scans have gone thru the roof lately? It might have 
something to do with  pre-made, fully compiled downloadable attack kits. 
Apparently there's a couple of websites, one with a whole directory of 
these tools, where you can download premade kits. One is of the dnet.it 
domain and looks like it itself is hacked. One of the exploits seems to be 
called "SSHD deattack exploit. By Dvorak with Code from teso". The URL to 
Teso's site is included. You used to be able to request the root directory 
and enter the site. Not anymore; maybe they are feeling the results of 
their name being pasted on exploit used for such much illegal activity?

Here's the script to determine if your ssh is "vulnerable" from one of 
the kits, by the banner  ->

cd ssh
VER="`./scanssh $1 | awk '{print $2}'`"

if [ "$VER" = "SSH-1.5-1.2.27" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.26" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.28" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.29" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.30" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.31" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x2 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.24" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x3 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.25" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x3 -t 1 $1

if [ "$VER" = "SSH-1.5-1.2.31a" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x3 -t 1 $1

<snip really long list>

if [ "$VER" = "SSH-1.99-OpenSSH_2.1.1" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x4/x4 -t 23 $1

if [ "$VER" = "SSH-1.5-1.3.6_F-SECURE_SSH" ]; then
echo "Vulnerable $VER found ... exploiting... "
./x4/x4 -t 24 $1

It also comes with an auto-scanner for finding ssh servers, thanks to a 
Niels Provos (scanssh). Grade A script-kiddie stuff. Interestingly enough, 
a message on his University of Mich. website says that, due the legality 
problems of his research, he's moved the stuff to the Netherlands 
(paraphased). It can even scan using SOCKS proxies, according to the web 
page. Although he suggests the tool will be used by admins to check their 
sshd versions on their own networks, I don't know many that would hide 
behide a SOCKS proxy while doing so...

I really, really hate ssh kiddies. This has reached a disgusting level 
of popularity, and ready-made attack kits don't help at all. Too many 
times my logs have been filled by some idiot, running thru name after 
name: test-test, guest-guest, dog-dog, Chris, Tom, Bob. I had a 
12-minute long one, once. Ruin their fun:

sshd_config, make some changes. I've noticed no decrease in usability 
from these settings, other than having to enter the extra Port number 
parameter,  but they increase security (if you're currently 
allowing the stuff they block):

Port (random high port)
#then use ssh -p <high port> host and sftp -o Port=<high port>
# and scp -P <high port> host when you connect)

Protocol 2
# No protocol 1. 2,1 is drop back to 1, which I've seen reported as unsafe

PermitRootLogin no
# No root, ever on Internet-accessible machines

StrictModes     yes
MaxAuthTries    3

RSAAuthentication    yes
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys
# Then, take your *.pub ssh keys and 'cat *.pub >> ~/.ssh/authorized_keys'
# on the host you want to login TO (mailing the admin gpg encrypted keys
# and having him do it is safe if you know him and he'll do it for you,
# is one way)
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts            yes
PasswordAuthentication  no
# There goes bruteforcing ;)
PermitEmptyPasswords    no
PermitUserEnvironment   no

AllowUsers (specifically allow those users you want, only)
AllowGroups (same, for groups)

DenyUsers root bin daemon adm sync shutdown halt mail news uucp operator 
games lp ftp cron dcron fcron vcron smmsp mysql mysqld ssh sshd nobody 
noone guest Guest GUEST test Test TEST testing nouser user owner admin 
administrator Administrator Admin www Apache apache wwwrun wine windows 
smb smbguest samba swat cybase god dog God Chris Danny Elisabeth Jason 
rolo httpd uucp UUCP pop popd procmail sunrpc rpc
# One line. You laugh, but maybe it'll save you one day that that new 
# user you just added leaves his account open, or you forget to close off
# the "ftp" user or something trivial. Crackers count on this stuff.
# Most of these come from the attach tools themselves

DenyGroups (same thing as above, with common group names)

firewalls, iptables, add in the appropriate place, if you have this 
target- don't forget to tell your legit users you moved the port ;)

iptables -A INPUT -p tcp --dport 22 -m limit -j LOG --log-level 7 
--log-prefix "Ssh'ers again: "
iptables -A INPUT -p tcp --dport 22 -j TARPIT

Always keep your ssh up to date, http://www.openssh.org/. Version Openssh 
4.0p1 (and 4.0) was released on March 9th, 2005. Same goes for it's 
Openssl dependancy.

Use /etc/hosts.deny, hosts.allow to further limit access

Don't hesitate to report attackers or mass-scanners. I've had more than 
one attacker's account reported closed down by their ISP, after reporting 
that they were caught scanning for ssh's, some only with the logs from the 
above iptables rules. Others, I sent the whole brute force attempt from 
the syslog's.


signature space still for rent
-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list