RE: Chinese Kiddos with Broken Dicts?
Take a look at sshblack, it works very well for me. http://www.pettingers.org/code/sshblack.html -Original Message- From: plug-discuss-boun...@lists.plug.phoenix.az.us [mailto:plug-discuss-boun...@lists.plug.phoenix.az.us] On Behalf Of Kurt Granroth Sent: Saturday, May 09, 2009 10:35 PM To: Main PLUG discussion list Subject: Re: Chinese Kiddos with Broken Dicts? That seems... unlikely. I have had thousands of unique IPs hit some of my hosts, many to never repeat after a round of attacks. The more plausible route is that they have a botnet of pwned boxes numbering in the hundreds of thousands and they just use them for random dictionary attacks. Once the dictionary attack is done (completely failed), they move on. One lesson to learn from this, though, is to NEVER allow name+password based logins over the Internet. If you open up port 22 to the world, then make sure you restrict logins to SSH key only. Most importantly: PasswordAuthentication no If a million monkeys can write the works of Shakespeare, then a million compromised zombies can eventually crack all of your passwords, too! On 5/9/09 8:17 PM, Lisa Kachold wrote: > Be afraid, very afraid! > > You must put that IP in your firewall! > > There's a good chance they already go in, if you didn't put in > iptables brute force controls? > > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris > mailto:t...@supertunaman.com>> wrote: > > Helloes. > > Yes, another thread about the Chinese. > > Okayso over the past couple days I've been seeing things like this: > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from > 200.111.157.187 port 51751 > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive > identification string from 200.111.157.187 > > And then I don't hear from that ip ever again. What's going on here? Did > the script that all those kiddies are using break? Should I be more > concerned? --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Chinese Kiddos with Broken Dicts?
Here's a video using custom dictionaries and netcat: http://bitcast-a.bitgravity.com/revision3/web/hak5/0511/hak5--0511--netcat-virtualization-wordpress--large.xvid.avi You only see the foolish ones in your logs, these exploits can also use an obfuscated source for a number of each of their source addresses, so what you see as a distributed attack, is actually just one person running a 5 day sized dictionary against the passwd file. Check hydra, Jack the ripper, brutus (list here): http://sectools.org/crackers.html On Sun, May 10, 2009 at 10:05 AM, Lisa Kachold wrote: > This is the full lowdown on what to do: > > http://www.la-samhna.de/library/brutessh.html > > > > On Sun, May 10, 2009 at 9:57 AM, Lisa Kachold wrote: > >> This is the FIRST thing in setting up any secure server (along with say >> not running Apache or Mysql as root, etc.) >> >> Evidently you have not attended the HackFests, where more than a few of >> the group were well, able to gain a login on a machine with various tools >> including Brute Forcing via Muppet, and dictionary attacks. >> >> http://a.mongers.org/muppets/20040808-sshscan-1 >> >> http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/ >> >> What you say? Nothing in the logs? Pwnership immediately cloaks all >> future access via nice wrappers for a list of binaries. Apt-get or yum >> refresh your ls, top, netstat, who, last. >> >> What you say? You ran a rootkit search and found nothing. Sorry but the >> simple truth is that most craft their own rootkits via simple gcc make to >> even mimic the time/date creation and the file size. >> >> Setup a quick Snort and log to another server with no SSH to catch them in >> your spider trap? >> >> >> >> On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris < >> t...@supertunaman.com> wrote: >> >>> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009: >>> > Be afraid, very afraid! >>> > >>> Oh hamburgers! >>> >>> > You must put that IP in your firewall! >>> > >>> Done. >>> >>> > There's a good chance they already go in, if you didn't put in iptables >>> > brute force controls? >>> > >>> OH SHI- >>> >>> How'd they get in? What's going on? :< >>> >>> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris >>> > wrote: >>> > >>> > > Helloes. >>> > > >>> > > Yes, another thread about the Chinese. >>> > > >>> > > Okayso over the past couple days I've been seeing things like this: >>> > > >>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from >>> > > 200.111.157.187 port 51751 >>> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive >>> > > identification string from 200.111.157.187 >>> > > >>> > > And then I don't hear from that ip ever again. What's going on here? >>> Did >>> > > the script that all those kiddies are using break? Should I be more >>> > > concerned? >>> > > >>> > > Thanks! >>> > > --- >>> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> > > To subscribe, unsubscribe, or to change your mail settings: >>> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> > > >>> > >>> --- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> >> >> >> >> -- >> www.obnosis.com (503)754-4452 >> "Contradictions do not exist." A. Rand >> > > > > -- > www.obnosis.com (503)754-4452 > "Contradictions do not exist." A. Rand > -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Chinese Kiddos with Broken Dicts?
This is the full lowdown on what to do: http://www.la-samhna.de/library/brutessh.html On Sun, May 10, 2009 at 9:57 AM, Lisa Kachold wrote: > This is the FIRST thing in setting up any secure server (along with say > not running Apache or Mysql as root, etc.) > > Evidently you have not attended the HackFests, where more than a few of the > group were well, able to gain a login on a machine with various tools > including Brute Forcing via Muppet, and dictionary attacks. > > http://a.mongers.org/muppets/20040808-sshscan-1 > > http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/ > > What you say? Nothing in the logs? Pwnership immediately cloaks all > future access via nice wrappers for a list of binaries. Apt-get or yum > refresh your ls, top, netstat, who, last. > > What you say? You ran a rootkit search and found nothing. Sorry but the > simple truth is that most craft their own rootkits via simple gcc make to > even mimic the time/date creation and the file size. > > Setup a quick Snort and log to another server with no SSH to catch them in > your spider trap? > > > > On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris < > t...@supertunaman.com> wrote: > >> Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009: >> > Be afraid, very afraid! >> > >> Oh hamburgers! >> >> > You must put that IP in your firewall! >> > >> Done. >> >> > There's a good chance they already go in, if you didn't put in iptables >> > brute force controls? >> > >> OH SHI- >> >> How'd they get in? What's going on? :< >> >> > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris >> > wrote: >> > >> > > Helloes. >> > > >> > > Yes, another thread about the Chinese. >> > > >> > > Okayso over the past couple days I've been seeing things like this: >> > > >> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from >> > > 200.111.157.187 port 51751 >> > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive >> > > identification string from 200.111.157.187 >> > > >> > > And then I don't hear from that ip ever again. What's going on here? >> Did >> > > the script that all those kiddies are using break? Should I be more >> > > concerned? >> > > >> > > Thanks! >> > > --- >> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> > > To subscribe, unsubscribe, or to change your mail settings: >> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > >> > >> --- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > > -- > www.obnosis.com (503)754-4452 > "Contradictions do not exist." A. Rand > -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Chinese Kiddos with Broken Dicts?
This is the FIRST thing in setting up any secure server (along with say not running Apache or Mysql as root, etc.) Evidently you have not attended the HackFests, where more than a few of the group were well, able to gain a login on a machine with various tools including Brute Forcing via Muppet, and dictionary attacks. http://a.mongers.org/muppets/20040808-sshscan-1 http://blog.taragana.com/index.php/archive/brute-force-ssh-hacking-attempt-on-my-server-guess-who-was-responsible/ What you say? Nothing in the logs? Pwnership immediately cloaks all future access via nice wrappers for a list of binaries. Apt-get or yum refresh your ls, top, netstat, who, last. What you say? You ran a rootkit search and found nothing. Sorry but the simple truth is that most craft their own rootkits via simple gcc make to even mimic the time/date creation and the file size. Setup a quick Snort and log to another server with no SSH to catch them in your spider trap? On Sat, May 9, 2009 at 9:56 PM, Andrew "Tuna" Harris wrote: > Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009: > > Be afraid, very afraid! > > > Oh hamburgers! > > > You must put that IP in your firewall! > > > Done. > > > There's a good chance they already go in, if you didn't put in iptables > > brute force controls? > > > OH SHI- > > How'd they get in? What's going on? :< > > > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris > > wrote: > > > > > Helloes. > > > > > > Yes, another thread about the Chinese. > > > > > > Okayso over the past couple days I've been seeing things like this: > > > > > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from > > > 200.111.157.187 port 51751 > > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive > > > identification string from 200.111.157.187 > > > > > > And then I don't hear from that ip ever again. What's going on here? > Did > > > the script that all those kiddies are using break? Should I be more > > > concerned? > > > > > > Thanks! > > > --- > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > > To subscribe, unsubscribe, or to change your mail settings: > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > --- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Chinese Kiddos with Broken Dicts?
On Sat, 2009-05-09 at 22:35 -0700, Kurt Granroth wrote: > That seems... unlikely. I have had thousands of unique IPs hit some of > my hosts, many to never repeat after a round of attacks. The more > plausible route is that they have a botnet of pwned boxes numbering in > the hundreds of thousands and they just use them for random dictionary > attacks. Once the dictionary attack is done (completely failed), they > move on. > > One lesson to learn from this, though, is to NEVER allow name+password > based logins over the Internet. If you open up port 22 to the world, > then make sure you restrict logins to SSH key only. Most importantly: > > PasswordAuthentication no > > If a million monkeys can write the works of Shakespeare, then a million > compromised zombies can eventually crack all of your passwords, too! > I NEVER open port 22 for SSH to the Internet but always use a different port number I ALWAYS use denyhosts (but there are other programs that do much the same thing) that blocks connections after a pre-defined number of failed attempts within a pre-defined time period. I use a pretty low number of failed attempts and a fairly wide time window period. I used to pay attention to iptables reports and even once wrote a database program to import/sort/report on them because if you have a box on the Internet, you are going to get a lot of blocked attempts but I really felt that virtually all of that time and energy was wasted. I am no longer surprised nor worried about people port scanning my public IP addresses any more. I do employ SELinux these days for an added layer of protection but I don't know that I've had a system compromised in the last 10 years...but I did have several systems compromised a little over 10 years ago and started taking security very seriously. I do scan my own systems to verify which ports are open on the Internet. If you really want to know where your network is weakest...look at your wireless access point/router. But really, the biggest threat these days is using a web browser because you can't even trust the web sites you think that you trust. I sleep pretty well at night. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Chinese Kiddos with Broken Dicts?
That seems... unlikely. I have had thousands of unique IPs hit some of my hosts, many to never repeat after a round of attacks. The more plausible route is that they have a botnet of pwned boxes numbering in the hundreds of thousands and they just use them for random dictionary attacks. Once the dictionary attack is done (completely failed), they move on. One lesson to learn from this, though, is to NEVER allow name+password based logins over the Internet. If you open up port 22 to the world, then make sure you restrict logins to SSH key only. Most importantly: PasswordAuthentication no If a million monkeys can write the works of Shakespeare, then a million compromised zombies can eventually crack all of your passwords, too! On 5/9/09 8:17 PM, Lisa Kachold wrote: > Be afraid, very afraid! > > You must put that IP in your firewall! > > There's a good chance they already go in, if you didn't put in iptables > brute force controls? > > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris > mailto:t...@supertunaman.com>> wrote: > > Helloes. > > Yes, another thread about the Chinese. > > Okayso over the past couple days I've been seeing things like this: > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from > 200.111.157.187 port 51751 > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive > identification string from 200.111.157.187 > > And then I don't hear from that ip ever again. What's going on here? Did > the script that all those kiddies are using break? Should I be more > concerned? --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Chinese Kiddos with Broken Dicts?
Excerpts from Lisa Kachold's message of Sat May 09 20:17:24 -0700 2009: > Be afraid, very afraid! > Oh hamburgers! > You must put that IP in your firewall! > Done. > There's a good chance they already go in, if you didn't put in iptables > brute force controls? > OH SHI- How'd they get in? What's going on? :< > On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris > wrote: > > > Helloes. > > > > Yes, another thread about the Chinese. > > > > Okayso over the past couple days I've been seeing things like this: > > > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from > > 200.111.157.187 port 51751 > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive > > identification string from 200.111.157.187 > > > > And then I don't hear from that ip ever again. What's going on here? Did > > the script that all those kiddies are using break? Should I be more > > concerned? > > > > Thanks! > > --- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change your mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Chinese Kiddos with Broken Dicts?
Be afraid, very afraid! You must put that IP in your firewall! There's a good chance they already go in, if you didn't put in iptables brute force controls? On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris wrote: > Helloes. > > Yes, another thread about the Chinese. > > Okayso over the past couple days I've been seeing things like this: > > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from > 200.111.157.187 port 51751 > /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive > identification string from 200.111.157.187 > > And then I don't hear from that ip ever again. What's going on here? Did > the script that all those kiddies are using break? Should I be more > concerned? > > Thanks! > --- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss