Re: Repeated attacks via SSH

From: Marcin Jessa (lists_at_yazzy.org)
Date: 10/03/05

  • Next message: Kevin Day: "Re: Repeated attacks via SSH" 
    Date: Sun, 2 Oct 2005 22:44:13 +0000
To: Brett Glass <brett@lariat.org>

    On Sun, 02 Oct 2005 16:01:26 -0600
    Brett Glass <brett@lariat.org> wrote:

    : Everyone:
    :
    : We're starting to see a rash of password guessing attacks via SSH
    : on all of our exposed BSD servers which are running an SSH daemon.
    : They're coming from multiple addresses, which makes us suspect that
    : they're being carried out by a network of "bots" rather than a single
    attacker. :
    : But wait... there's more. The interesting thing about these attacks
    : is that the user IDs for which passwords are being guessed aren't
    : coming from a completely fixed list. Besides guessing at the
    : passwords for root, toor, news, admin, test, guest, webmaster,
    : sshd, and mysql, the bots are also trying to get into our mail
    : exchangers via user IDs which are the actual names of users for
    : whom the machines receive mail. In one case, we saw an attempt to
    : use the name of a user who hadn't been on for years but whose
    : address was published ONCE (according to Google and AltaVista) on
    : the Net. Since the attackers are not guessing at hundreds of
    : invalid user names, the only conclusion we can draw is that when
    : one of the bots attacks a mail server, it quickly tries to harvest
    : e-mail addresses from the server's domain from the Net and then
    : tries them, in the hope that those users (a) are enabled for SSH
    : and (b) have weak passwords.
    :
    : SSH is enabled by default in most BSD-ish operating systems, and
    : this makes us a bigger target for these bots than users of OSes
    : that don't come with SSH (not that they're not more vulnerable in
    : other ways!). Therefore, it's strongly recommended that, where
    : practical, everyone limit SSH logins to the minimum possible number
    : of users via the "AllowUsers" directive. We also have a log monitor
    : that watches the logs (/var/log/auth.log in particular) and
    : blackholes hosts that seem to be trying to break in via SSH.
    :

    Great email Brett, this is ineed a true revelation we all at
    freebsd-security@ have been waiting for.
    B.T.W, did you also notice they harvest email addresses and send you
    useless information about products you don't need?
    I *** you not.
    One needs to be carefull since SMTP servers are avaliable by default in
    most BSD-ish operating systems, and this makes us a bigger target for
    these email bots than users of OSes that don't come with SMTP (not that
    they're not more vulnerable in other ways!).

    Cheers,
    Marcin.

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Kevin Day: "Re: Repeated attacks via SSH"
    • Quantcast