[Dshield] SSH Bots

Ryan McConigley ryan at csse.uwa.edu.au
Tue Mar 7 03:51:21 GMT 2006

Quoting "Jon R. Kibler" <Jon.Kibler at aset.com>:

> Greetings,
> We got a new phishing email this morning (so, what else is new?) that
> resulted in my learning of a new attack (well, at least new to me) against
> ssh. 
> When I contacted the system's netblock owner, they indicated that the
> compromised box was a MacOS/X system and they had already shut down the box.
> I got to talking to their security person and he indicated that the box was
> compromised via a brute force ssh attack. Apparently, there are botnets that
> do distributed brute force ssh attacks, hitting on all possible combinations
> of password characters up through 14 character lengths. 
> Anyone else heard of and/or been a victim of this attack? If so, would you be
> willing to share the details and new countermeasures implemented?

     We had one account on one of our boxes compromised last year with what
might call a brute force attack, but when we looked at it, they just hit a few
usernames with a lot of common passwords.  At the time we were having a fairly
sustained ssh enslaught - a few thousand connection attempts per day, sometimes
to a range of usernames, othertimes to just a select few (sometimes ones that
didn't exist).

     The account that had been compromised was picked up because a) it belonged
to someone who I doubt has ever heard of ssh and b) we had a script that looked
at unsuccessful logins and compared it to successful ones.  More than two
unsuccessful logins followed by a successful login gave us a little flag to
investigate further.

     We couldn't find anything untoward on the box, but we rebuilt it as a
precaution, as well as killing off the account.

     Just doing some maths in my head, assuming 14 characters in the brute
and lets assume a simple password of a-z, A-Z and 0-9, plus a few punctation
characters -,+,!@#$, that gives 88 characters, thats 88^14 different
combinations.  Which is a lot.  An awful lot.  Assuming you can try one
password per second, thats still several thousand (million?) years before you
try them all.  I say one per second so it allows for connection time.  Our
linux boxes allow for three attempts, each one taking longer before returning
success or failure, then you get disconnected and need to reconnect.  I think
we've still got the time outs on the actual sessions as well, but not sure. 
(we had problems with that).

      We have experimented with some of the PAM based lockout modules, but
unfortunately valid users get their passwords wrong just as many times as the
hackers and valid users tend to complain when they've been informed they've
been locked out for x lenght of time... espectially when they've got a lab on.

      Summary - Personally, I'm not too concerned with brute force attacks over
ssh.  I know we'll get them, but I suspect there is much more of a real risk
running a decent list of possible passwords as opposed to every combination.

       One thing that we do is keep an eye on the IPs of the connecting hosts. 
If we see an excessive number, they get added to the "go away" rule on the
firewall, sort of like closing the door after the horse had bolted, but it has
stopped some attacks in the middle of them.  I have contemplated automating
this, but I don't trust myself.


This message was sent using IMP, the Internet Messaging Program.

More information about the list mailing list