[Dshield] SSH Bots

Laura Vance vancel at winfreeacademy.com
Wed Mar 8 17:31:57 GMT 2006


Jon R. Kibler wrote:

>Greetings,
>
>We got a new phishing email this morning (so, what else is new?) that resulted in my learning of a new attack (well, at least new to me) against ssh. 
>
>When I contacted the system's netblock owner, they indicated that the compromised box was a MacOS/X system and they had already shut down the box. I got to talking to their security person and he indicated that the box was compromised via a brute force ssh attack. Apparently, there are botnets that do distributed brute force ssh attacks, hitting on all possible combinations of password characters up through 14 character lengths. 
>
>Anyone else heard of and/or been a victim of this attack? If so, would you be willing to share the details and new countermeasures implemented?
>
>So, I guess it is time to change all of our ssh passwords to 15 or 16 chars! 
>
>Or, I seem to remember that MD5 hashed *nix passwords can be up to 128 chars... so maybe our passwords should now become paragraphs?
>
>I guess what is really needed is some PAM-based authentication failure account lockout schema. I don't see any modules to this in default FC/4 or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?
>
>Thanks!
>Jon Kibler
>  
>
I recently had to open an SSH server on my home network, and I started 
seeing people trying to get into that system.  At first I ignored it 
unless they were actively trying to log in when I checked the network at 
which time I would add their IP to my firewall to block them from my SSH 
port while still allowing them to connect to all other ports.  This 
seemed to work fine until one day I got home and found that I was under 
a brute force that had been going from 8:40am until I got home at 
5:30pm.  Luckily they didn't compromise any of the accounts despite the 
logs showing 1.5hrs of 4 simultaneous attacks on the root account.  I 
decided that I really needed to rethink my "ignore them until something 
happens" attitude.

I ended up writing a program that checks /var/log/secure every 5 minutes 
and keeps tabs on how many failed attempts come from a single IP.  I 
don't want to have to worry about my legitimate user missing his 
password one or two times, my main concern is protecting against brute 
force.  I wrote it so that if any IP has 50 failed attempts, they get a 
record added into the ssh block portion of the firewall.  The number can 
be set to anything, but I figure 50 is a good number to indicate a brute 
force.

Since I started running this program, it has blocked a LOT more IPs than 
I originally thought it would.  My system will only be hammered for a 
maximum of 5 minutes, because if the brute force is running fast, it 
still gets blocked after 5 minutes.  I don't have to worry about the 
slow attacks, because wether those 50 failed attempts take 5 minutes or 
5 days, 50 failed is still 50 failed.

I know there are better ways to do this, such as whitelisting, but I'm 
somewhat using this as an informational tool to see how often the SSH 
port comes under attack and what usernames they try.

-- 
Thanks,
Laura Vance
Systems Engineer
Winfree Academy Charter Schools




More information about the list mailing list