Re: [Full-disclosure] Distributed SSH username/password brute forceattack
On Mon, 2007-10-22 at 22:34 +0200, [EMAIL PROTECTED] wrote: > Hi, > > > Oct 22 20:36:13 nms sshd[90657]: Failed password for invalid user gopher > > from 77.46.152.2 port 55120 ssh2 > > user/password authentication for SSH? one way of cleaning up your > logs and killing this type of attack is to reconfigure your OpenSSH > to only allow key based logins. stopped my 10M+ logfiles straight away > (then the apache attacks were easier to see too ;-) ) Be careful about that. Although key-based logins are easier on your logs, they also generate the problem of transitive access to the server. Years ago, one of the boxes I was managing was hacked from the inside: the hacker got an unsecured linux box thru a script-kiddie level hack, and used the key of a local user to get in. Although you can control how the SSH server on your side works, you have no control on people's private keys and thus cannot enforce passphrases on those keys. You can unknowingly lower your security by moving to a key-based login, because some people who would type a password to log-in will not bother securing their passphrases if they are forced to use a private key. -- Vincent ARCHER [EMAIL PROTECTED] Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distributed SSH username/password brute forceattack
On 10/22/07, Anders B Jansson <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > Hi, > > > >> Oct 22 20:36:13 nms sshd[90657]: Failed password for invalid user gopher > >> from 77.46.152.2 port 55120 ssh2 > > > > user/password authentication for SSH? one way of cleaning up your > > logs and killing this type of attack is to reconfigure your OpenSSH > > to only allow key based logins. stopped my 10M+ logfiles straight away > > An even better way is to punt the attackers to a 'silent drop' table in your > firewall. > > Cuts your logs to nothing and keeps the kiddies wasting their time. > > The latest attack surge is either directed or a bit more clever, haven't seen > anything on my random user DSL traps. > -- > // hdw > I still say to throw them into a TARPIT table and tag their connections to throw them into a nice TCP window size of 0. Currently I lower unknown connections window size to bring them to a crawl while known ranges immediately go through. It's not about blocking all unknown, but about making the process take up more of their resources. A silent drop will take up very little of the worm's time when compared to a tarpit that can eat up minutes(hours if they do not set timeouts) per connection. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distributed SSH username/password brute forceattack
[EMAIL PROTECTED] wrote: > Hi, > >> Oct 22 20:36:13 nms sshd[90657]: Failed password for invalid user gopher >> from 77.46.152.2 port 55120 ssh2 > > user/password authentication for SSH? one way of cleaning up your > logs and killing this type of attack is to reconfigure your OpenSSH > to only allow key based logins. stopped my 10M+ logfiles straight away An even better way is to punt the attackers to a 'silent drop' table in your firewall. Cuts your logs to nothing and keeps the kiddies wasting their time. The latest attack surge is either directed or a bit more clever, haven't seen anything on my random user DSL traps. -- // hdw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distributed SSH username/password brute forceattack
Hi, > Oct 22 20:36:13 nms sshd[90657]: Failed password for invalid user gopher > from 77.46.152.2 port 55120 ssh2 user/password authentication for SSH? one way of cleaning up your logs and killing this type of attack is to reconfigure your OpenSSH to only allow key based logins. stopped my 10M+ logfiles straight away (then the apache attacks were easier to see too ;-) ) alan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distributed SSH username/password brute forceattack
error for root from 80.122.89.106 Oct 22 21:56:42 nms sshd[90881]: Failed keyboard-interactive/pam for root from 80.122.89.106 port 12387 ssh2 Oct 22 21:57:38 nms sshd[90884]: Connection from 82.207.23.93 port 3642 Best regards, Valery Marchuk - Original Message - From: "Philipp" <[EMAIL PROTECTED]> To: Sent: Monday, October 22, 2007 2:36 PM Subject: [Full-disclosure] Distributed SSH username/password brute forceattack > Hello, > > since this night I experience distributed SSH username/password > guessing brute force attacks. Anyone seen something similar? > > Up until this night always one host tried to guess username/password > combinations until it got banned by fail2ban. But now I see in my > logfiles: > > Oct 22 01:42:18 myhost sshd[2672]: error: PAM: Authentication failure > for illegal user root from .de > Oct 22 01:44:49 myhost sshd[2832]: error: PAM: Authentication failure > for illegal user root from .85 > Oct 22 01:47:16 myhost sshd[2981]: error: PAM: Authentication failure > for illegal user root from .86 > Oct 22 01:50:33 myhost sshd[3233]: error: PAM: Authentication failure > for illegal user root from .ar > Oct 22 01:52:38 myhost sshd[3307]: error: PAM: Authentication failure > for illegal user root from .be > Oct 22 01:55:34 myhost sshd[3551]: error: PAM: Authentication failure > for illegal user root from .106 > Oct 22 01:58:04 myhost sshd[3691]: error: PAM: Authentication failure > for illegal user root from .11 > Oct 22 02:00:44 myhost sshd[3999]: error: PAM: Authentication failure > for illegal user root from .cl > > The time is CEST and the attacks are still ongoing. > > kind regards, > > Philipp > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distributed SSH username/password brute forceattack
Nothing special, change ssh port. - Original Message - From: "Philipp" <[EMAIL PROTECTED]> To: Sent: Monday, October 22, 2007 2:36 PM Subject: [Full-disclosure] Distributed SSH username/password brute forceattack > Hello, > > since this night I experience distributed SSH username/password > guessing brute force attacks. Anyone seen something similar? > > Up until this night always one host tried to guess username/password > combinations until it got banned by fail2ban. But now I see in my > logfiles: > > Oct 22 01:42:18 myhost sshd[2672]: error: PAM: Authentication failure > for illegal user root from .de > Oct 22 01:44:49 myhost sshd[2832]: error: PAM: Authentication failure > for illegal user root from .85 > Oct 22 01:47:16 myhost sshd[2981]: error: PAM: Authentication failure > for illegal user root from .86 > Oct 22 01:50:33 myhost sshd[3233]: error: PAM: Authentication failure > for illegal user root from .ar > Oct 22 01:52:38 myhost sshd[3307]: error: PAM: Authentication failure > for illegal user root from .be > Oct 22 01:55:34 myhost sshd[3551]: error: PAM: Authentication failure > for illegal user root from .106 > Oct 22 01:58:04 myhost sshd[3691]: error: PAM: Authentication failure > for illegal user root from .11 > Oct 22 02:00:44 myhost sshd[3999]: error: PAM: Authentication failure > for illegal user root from .cl > > The time is CEST and the attacks are still ongoing. > > kind regards, > > Philipp > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distributed SSH username/password brute forceattack
sshd[27243]: error: PAM: Authentication failure for illegal user root from 211.61.130.199 Oct 22 18:57:55 wintermute sshd[27297]: error: PAM: Authentication failure for illegal user root from host81-150-208-48.in-addr.btopenworld.com Oct 22 18:59:52 wintermute sshd[27452]: error: PAM: Authentication failure for illegal user root from host242-209-static.41-85-b.business.telecomitalia.it Richard G. wrote: > Phillip, what network are you on? I use RCN (X.X.X.X) to > get to Level3 > and use to see these things all the time from China and > Korea. Since I do > not do business there, I just drop their packets at my router. Richard > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Philipp > Sent: Monday, October 22, 2007 7:37 AM > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Distributed SSH username/password brute > forceattack > > Hello, > > since this night I experience distributed SSH username/password > guessing brute force attacks. Anyone seen something similar? > > Up until this night always one host tried to guess username/password > combinations until it got banned by fail2ban. But now I see in my > logfiles: > > Oct 22 01:42:18 myhost sshd[2672]: error: PAM: Authentication failure > for illegal user root from .de > Oct 22 01:44:49 myhost sshd[2832]: error: PAM: Authentication failure > for illegal user root from .85 > Oct 22 01:47:16 myhost sshd[2981]: error: PAM: Authentication failure > for illegal user root from .86 > Oct 22 01:50:33 myhost sshd[3233]: error: PAM: Authentication failure > for illegal user root from .ar > Oct 22 01:52:38 myhost sshd[3307]: error: PAM: Authentication failure > for illegal user root from .be > Oct 22 01:55:34 myhost sshd[3551]: error: PAM: Authentication failure > for illegal user root from .106 > Oct 22 01:58:04 myhost sshd[3691]: error: PAM: Authentication failure > for illegal user root from .11 > Oct 22 02:00:44 myhost sshd[3999]: error: PAM: Authentication failure > for illegal user root from .cl > > The time is CEST and the attacks are still ongoing. > > kind regards, > > Philipp > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ kind regards, Philipp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
