[Dshield] SSH Bots
vancel at winfreeacademy.com
Wed Mar 8 17:31:57 GMT 2006
Jon R. Kibler wrote:
>We got a new phishing email this morning (so, what else is new?) that resulted in my learning of a new attack (well, at least new to me) against ssh.
>When I contacted the system's netblock owner, they indicated that the compromised box was a MacOS/X system and they had already shut down the box. I got to talking to their security person and he indicated that the box was compromised via a brute force ssh attack. Apparently, there are botnets that do distributed brute force ssh attacks, hitting on all possible combinations of password characters up through 14 character lengths.
>Anyone else heard of and/or been a victim of this attack? If so, would you be willing to share the details and new countermeasures implemented?
>So, I guess it is time to change all of our ssh passwords to 15 or 16 chars!
>Or, I seem to remember that MD5 hashed *nix passwords can be up to 128 chars... so maybe our passwords should now become paragraphs?
>I guess what is really needed is some PAM-based authentication failure account lockout schema. I don't see any modules to this in default FC/4 or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?
I recently had to open an SSH server on my home network, and I started
seeing people trying to get into that system. At first I ignored it
unless they were actively trying to log in when I checked the network at
which time I would add their IP to my firewall to block them from my SSH
port while still allowing them to connect to all other ports. This
seemed to work fine until one day I got home and found that I was under
a brute force that had been going from 8:40am until I got home at
5:30pm. Luckily they didn't compromise any of the accounts despite the
logs showing 1.5hrs of 4 simultaneous attacks on the root account. I
decided that I really needed to rethink my "ignore them until something
I ended up writing a program that checks /var/log/secure every 5 minutes
and keeps tabs on how many failed attempts come from a single IP. I
don't want to have to worry about my legitimate user missing his
password one or two times, my main concern is protecting against brute
force. I wrote it so that if any IP has 50 failed attempts, they get a
record added into the ssh block portion of the firewall. The number can
be set to anything, but I figure 50 is a good number to indicate a brute
Since I started running this program, it has blocked a LOT more IPs than
I originally thought it would. My system will only be hammered for a
maximum of 5 minutes, because if the brute force is running fast, it
still gets blocked after 5 minutes. I don't have to worry about the
slow attacks, because wether those 50 failed attempts take 5 minutes or
5 days, 50 failed is still 50 failed.
I know there are better ways to do this, such as whitelisting, but I'm
somewhat using this as an informational tool to see how often the SSH
port comes under attack and what usernames they try.
Winfree Academy Charter Schools
More information about the list