You are not logged in.

#1 2006-02-01 01:37:29

vyrixv
Member
From: Houston, TX
Registered: 2005-12-23
Posts: 15

SSH Dictionary attack on both root/users... Any suggestions?

Hmmm, was tailing -f the auth.log and the xferlog on one vc and check out the auth.log.

This is an expert of the usernames, there are about 1000 and a bunch of root attempts.  Anyone know how set a invalid user rule?  or how should I handle this?  Using openssh and proftpd.

auth.log:

Jan 30 17:34:49 myhost sshd[5620]: Invalid user alejandra from 208.187.226.110
Jan 30 17:34:49 myhost sshd[5620]: Excess permission or bad ownership on file /var/log/btmp
Jan 30 17:34:49 myhost sshd(pam_unix)[5620]: check pass; user unknown
Jan 30 17:34:49 myhost sshd(pam_unix)[5620]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apollo.ittechsonline.com 
Jan 30 17:34:51 myhost sshd[5620]: Failed password for invalid user alejandra from 208.187.226.110 port 45665 ssh2
Jan 30 17:34:51 myhost sshd[5620]: Excess permission or bad ownership on file /var/log/btmp
Jan 30 17:34:52 myhost sshd[5622]: Invalid user alison from 208.187.226.110
Jan 30 17:34:52 myhost sshd[5622]: Excess permission or bad ownership on file /var/log/btmp
Jan 30 17:34:52 myhost sshd(pam_unix)[5622]: check pass; user unknown
Jan 30 17:34:52 myhost sshd(pam_unix)[5622]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apollo.ittechsonline.com 
Jan 30 17:34:54 myhost sshd[5622]: Failed password for invalid user alison from 208.187.226.110 port 46756 ssh2
Jan 30 17:34:54 myhost sshd[5622]: Excess permission or bad ownership on file /var/log/btmp
Jan 30 17:34:54 myhost sshd[5624]: Invalid user alisha from 208.187.226.110
Jan 30 17:34:55 myhost sshd[5624]: Excess permission or bad ownership on file /var/log/btmp
Jan 30 17:34:55 myhost sshd(pam_unix)[5624]: check pass; user unknown
Jan 30 17:34:55 myhost sshd(pam_unix)[5624]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apollo.ittechsonline.com 
Jan 30 17:34:57 myhost sshd[5624]: Failed password for invalid user alisha from 208.187.226.110 port 47941 ssh2
Jan 30 17:34:57 myhost sshd[5624]: Excess permission or bad ownership on file /var/log/btmp

No attempts since, i put a file up in the anon ftp folder for him to see but I assume it is a comprimised box.  What do you all think?

Offline

#2 2006-02-01 05:53:27

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: SSH Dictionary attack on both root/users... Any suggestions?

The "excess permission" warning is referenced here: http://lists.debian.org/debian-ssh/2005 … 00122.html

The failed password shouldn't be an issue. It is the non-failures you should worry about.

I recommend using "AllowUsers username1 username1" and not allowing root logins, as a start. Use only ssh2 as another good security practice, and make sure to use strong passwords, or keys only.

Some people change their ssh port too, to avoid the brute force bots out there..

/me shrugs


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2006-02-01 08:41:02

pikass
Member
From: Schwartz space
Registered: 2005-11-28
Posts: 85

Re: SSH Dictionary attack on both root/users... Any suggestions?

An elegant way would be the usage of knocking ports.

Offline

#4 2006-02-01 09:22:29

juergen
Developer
From: Frankfurt/Germany
Registered: 2005-04-11
Posts: 48
Website

Re: SSH Dictionary attack on both root/users... Any suggestions?

I suggest you add only required networks to the sshd line in /etc/hosts.allow and reject all other connects in /etc/hosts.deny

Offline

#5 2006-02-01 11:08:30

PeteMo
Member
From: H'Burg, VA
Registered: 2006-01-26
Posts: 191
Website

Re: SSH Dictionary attack on both root/users... Any suggestions?

There is also denyhosts - see http://denyhosts.sourceforge.net/ It can be run as a daemon to scan your /var/log/auth.log every thirty seconds and add ips to /etc/hosts.deny that have greater than a set number of failed login attempts.

Offline

#6 2006-02-01 12:46:26

demonus
Member
Registered: 2005-01-31
Posts: 62

Re: SSH Dictionary attack on both root/users... Any suggestions?

if ssh service is not critical move it to other port, say 122, moreover

LoginGraceTime 1m
MaxStartups 2:50:4
AllowUsers yourusershere

may help

Offline

#7 2006-02-02 11:23:37

Panu
Member
From: UK
Registered: 2005-10-09
Posts: 27

Re: SSH Dictionary attack on both root/users... Any suggestions?

The following was suggested to me by a local LUG member, and it works for me. Specifically the "brute force" option described in the end.

-----------clip--------clip------------------------

Place the following (or equiv) somewhere in an rc file (or equiv)....

iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack
--rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset

This allows three SSH connection attempts from the same IP address
every minute - but no more.

the problem with putting them in rc.local is that they'll be processed
after all other firewall-related stuff has happened (unless your entire
firewall is set up from rc.local, but that's unlikely). that means these
three rules will go onto the END of your firewall's input chain.

as my technote (http://www.teaparty.net/technotes/ssh-r … iting.html)
states, "these rules will need to come before any blanket permit to port
22". this is because iptables processes rules in strict order, and first
hit wins. so if you've got a firewall which amounts to (forgive the
metalanguage used in this example):

01 accept inbound tcp to port 22 # ssh
02 accept inbound tcp to port 25 # mail
03 accept inbound tcp to port 80 # my web server
(accept some other stuff, might be stateful, might be DNS, who knows?)
14-17 tom's three lines to enforce rate-limiting on ssh connections

the three rate-limiting lines will never get run: inbound ssh requests
will meet and match line 01 and terminate processing with an ACCEPT.

so you either need to work out how your firewall sets up all its other
rules, and insert my lines at an appropriate point in the process, or you
need to brute-force my lines into coming first in your INPUT chain.

the former is better; understanding is worth any price. but if you don't
want to do that, then change my three rules so instead of starting
iptables -A INPUT
they start
iptables -I INPUT 1
iptables -I INPUT 2
iptables -I INPUT 3
respectively, which will force them to be inserted at the very top of the
INPUT chain even though all the other rules have already been set up.

Offline

#8 2006-03-27 05:48:25

Alethos
Member
Registered: 2006-01-05
Posts: 84

Re: SSH Dictionary attack on both root/users... Any suggestions?

read an interesting wiki on SSH blocking here (gentoo based).

Offline

Board footer

Powered by FluxBB