[unisog] step up in SSH scanning starting today?

Paul FM paulfm at me.umn.edu
Tue May 13 13:44:43 GMT 2008

The targets are anything with a fast network connection (the faster the 
connection - the more valuable the target).   Many of these attacks are to 
set up control machines for botnets (most of the botnets are controlled from 
Unix/Linux machines).  And remember - THIS IS MOSTLY ORGANIZED CRIME 
(Mafia's/Gangs) doing this stuff (they hire highly skilled hackers).  SPAM is 
big money.

There has been a constant attack like this on anything running ssh for the 
last more than two years.  More that 50% of the time - they are attempting to 
break into default accounts (admin, guest, lp, etc), or other common user 
accounts.  I have seen an Elementary School Web site as the source of this 
sort of attack (most of the attacks are from other machines which have 
already been compromised).

To reduce the attacks (at home) I use XINETD (tcp wrap compiled in) to start 
ssh (slows down the startup to several seconds for each connection - which is 
good) and my /etc/hosts.allow file has these entries (not the complete file):

ALL : : allow
# We don't want ssh dependant on DNS lookups to work from my internal network
sshd : 192.168.0. : allow
ALL : PARANOID : RFC931 20 : deny
sshd : .{bad-domain-1}.net : deny
sshd : .{bad-domain-2}.com : deny
sshd : .{bad-domain-3}.com : deny
sshd : .edu .com .net .us : allow
# Deny everything else
ALL : ALL : RFC931 20 : deny

The important line is the last allow (I don't tend to hang out at .gov 
sites).  This has caused nearly 80% of the attacking machines to be denied a 
connection (and all of those since midnight last night).  And I am still able 
to connect to it from anywhere I would use it.  You will note 3 domains added 
in (I had a lot of attacks from those domains - and since I don't intend to 
ssh in from there - it was easiest to just block them - I changed the names 
to protect the guilty).

If you run a large network (if you have a router or firewall) - consider 
limiting incoming ssh connections to a few well maintained "GATEWAY" machines 
and blocking the rest - a lot of people run ssh without understanding the 
security ramifications (too many people with Macs turn on ssh, and so do 
people with linux/unix who don't know what they are doing - then there are 
the scary people who install ssh on a windows machine - and don't know how to 
securely configure it).   ssh is only as secure as it is configured to be 
(and the defaults are only moderately secure) - and if you allow password 
authentication, then the passwords of ALL accounts have to be secure.

Scott Fendley wrote:
> Personally, I think there is some targeting going on, but not sure about
> how the attackers are choosing their targets yet.
> Locally I have seen a limited increase, but am seeing more and more people
> talking about it in the past week.
> Scott
> On Mon, 12 May 2008, Gaddis, Jeremy L. wrote:
>> On Mon, May 12, 2008 at 4:40 PM, Tom Perrine <tperrine at scea.com> wrote:
>>> Anyone else see a significant rise in SSH dictionary attacks, especially
>>>  from .KR?
>> [snip]
>>>  What's the consensus?  Isolated or major ramp-up?
>> http://isc.sans.org/diary.html?storyid=4408&rss
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list