Re: SSH bruteforce on its way...
From: Daniel Cid (danielcid_at_yahoo.com.br)
Date: 10/26/05
- Previous message: Tillmann Werner: "Re: Who is looking for port 2036?"
- In reply to: Russell Fulton: "Re: SSH bruteforce on its way..."
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: SSH bruteforce on its way..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Oct 2005 18:28:12 -0300 (ART) To: Russell Fulton <r.fulton@auckland.ac.nz>, incidents@securityfocus.com
Another idea is to use some kind of HIDS with log
analysis. I like the OSSEC HIDS (self promotion :) ),
because it does log analysis, integrity checking and
rootkit detection (http://www.ossec.net/hids)...
Recently I had a problem with SSH brute force , and an
alert like the following e-mail is very useful...
OSSEC HIDS Notification.
2005 Oct 13 18:29:41
Received From: /var/log/auth.log
Rule: 404 fired (level 10) -> "Attempt to login using
a non-existent user"
Portion of the log(s):
"sshd[26512]: Invalid user yyy from x.x.x.x
"
--END OF NOTIFICATION
OSSEC HIDS Notification.
2005 Oct 13 18:29:41
Received From: /var/log/auth.log
Rule: 408 fired (level 13) -> "SSHD brute force trying
to get access to the system"
Portion of the log(s):
"sshd[26510]: Invalid user db2as from x.x.x.x
sshd[26512]: Invalid user rwa from x.x.x.x
sshd[26504]: Invalid user ro from x.x.x.x
sshd[26502]: Invalid user db2fenc1 from x.x.x.x
sshd[26496]: Invalid user swift from x.x.x.x
sshd[26498]: Invalid user db2as from x.x.x.x
sshd[26489]: Invalid user db2fenc1 from x.x.x.x
sshd[26486]: Invalid user n3ssus from x.x.x.x
sshd[26483]: Invalid user bash from x.x.x.x
"
--END OF NOTIFICATION
Hope it helps..
-- Daniel B. Cid, CISSP daniel.cid@ (at )gmail.com --- Russell Fulton <r.fulton@auckland.ac.nz> escreveu: > > > Justin wrote: > > Jouser, > > > > Nah, there were some exploits a while back that > took advanteage in > > some timing flaws in the SSHd that let attackers > determin valid > > usernames. > Would you please provide some supporting references. > I can not find any > evidence of existing timing attacks against openssh. > In fact Openssh > goes to some trouble to defeat such attacks. > > While on this thread, one effective counter measure > against brute force > password attacks is to use decent passwords which > everyone should be > doing anyway. We have lost about 3 systems here to > ssh brute force > attacks and in all cases the systems were in serious > breach of our > policies (which are not particularly draconian). > > In one case I did feel a bit sorry for the victims, > they had installed a > third party package that created an account with an > insecure password > and they never noticed. A good case for simple > monitoring script like > the one that is run nightly on OBSD system that > warns you about changes > in critical files. > > Russell. > > > > > peace, > > --Justin > > > > On 21 Oct 2005 18:05:27 -0000, jouser@gmail.com > <jouser@gmail.com> wrote: > > > >>I didn't think it was possible to determine valid > usernames by themselves? You either have a valid > username AND password or not. > >> > _______________________________________________________ Promoção Yahoo! Acesso Grátis: a cada hora navegada você acumula cupons e concorre a mais de 500 prêmios! Participe! http://yahoo.fbiz.com.br/
- Previous message: Tillmann Werner: "Re: Who is looking for port 2036?"
- In reply to: Russell Fulton: "Re: SSH bruteforce on its way..."
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: SSH bruteforce on its way..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
