RE: SSH server under attack...



Dave and et al,

Like anyone that runs a server with Internet facing ports, I run into
the same issue as Dave, but my linux hosts only allow ssh public keys
for login. Since my linux hosts frequently get probed, I opted to write
a script, which runs each minute via cron, to check /var/log/messages
each minute for failed login attempts with the offending IP addresses
being written/appended to a local file. I also white list certain
private network ranges I use, with this data contained in a different
file than the offending IP addresses.

In the script, whenever the offending IP address file is updated,
iptables is reloaded, with iptables loading the white listed and
offending IP addresses and the offending IP addresses being dropped.
Just because I hate spammers, I also take the same action for servers
that try to relay e-mail via port 25.

Downside to my solution: Of course a lot can happen in one minute. If
this is the case and you still want to write your own code, try looking
at daemon tools (cr.yp.to) and logdog (caspian.dotconf.net). Of course
once I have more time, I will take my own advice and move my script from
cron to using daemon tools and logdog. I have also looked at logwatch
and swatch, but they did not seem to have the functionality I wanted.

Greg

-----Original Message-----
From: ilaiy [mailto:ilaiy.e@xxxxxxxxx]
Sent: Tuesday, January 24, 2006 2:01 PM
To: Dave
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: SSH server under attack...

Add a entry to hosts.deny ..

You could use iptables to drop all tracfic from that host too

./thanks
ilaiy

On 1/23/06, Dave <dlaud.flux@xxxxxxxxx> wrote:
> My SSH server has been under DoS and I cant stop it!!!
>
> I changed the port of the SSH server from 22 to 2222. This isnt going
> to really do much but it would stop some automated script that attacks

> port 22. OK...within a few hours the server was being attacked again
> on port 2222. This is an *active* attacker, active in that he is
> actively monitoring what he is doing. The router/firewall logs dont
> show any dropped packets sent to port 22 so he changed the port of the

> attack script. Now, the new machine to attack me is 200.55.192.29.
> This belongs to a company in south america called 'Springs South
> America Textiles Ltda.'. I scanned the machine and found that it is
> hosting a webserver
> (Apache/2.0.52 (Fedora) Server at www.springs.cl) among other
services.
> The last machine the attacker used to brute_force me was also an
> apache server (rh linux). So this attacker is cracking various
> webservers (most
> likely) or some other service on these boxes in order to use these
> machines as an attack platform. Now, yes, i notified the admin of this

> company etc..but think of this. If this admin is going to put an
> *unused* and unprotected server on the net then what kind of admin is
> he? Will he even care about my email? Who knows! Calling the
> authorities is not going to work 'cause frankly I am a nobody...who
> cares if my servers are under attack! No one is going to waste
> resource (money) in trying to find this guy, so really its up to me.
> So what do we know about this guy? At first the info seems
> conflicting: He has the ability to crack a number of random servers
> and use them at his disposal but he is running the same stupid attack
> over and over...why? First off, the attack is a brute force attack. He

> is trying to guess a username password combo in order to be able to
> log into my server and get shell access...but maybe not. Like I
> said..he is no dummy. So what is he doing? I think DoS (denial of
> service) , the brute force tool is just the means to an end. He isnt
> trying to break in by doing this. Maybe he coudnt break in to my
> server so he is resorting to the next trick up his sleeve. By having
> all these machines attempting to log into my server over and over he
> might be trying to use up my bandwidth in effect causing a DoS to
> anyone! OR...In closely looking at the logs you will notice something
*unusual*:
>
> Failed password for invalid user admin from ::ffff:200.55.192.29 port
> 34182 ssh2
> Invalid user admin from ::ffff:200.55.192.29 Failed password for
> invalid user admin from ::ffff:200.55.192.29 port
> 34679 ssh2
> Invalid user admin from ::ffff:200.55.192.29 Failed password for
> invalid user admin from ::ffff:200.55.192.29 port
> 34752 ssh2
> Invalid user administrator from ::ffff:200.55.192.29 Failed password
> for invalid user administrator from ::ffff:200.55.192.29 port 35253
> ssh2 Invalid user administrator from ::ffff:200.55.192.29 Failed
> password for invalid user administrator from ::ffff:200.55.192.29 port

> 35735 ssh2 Invalid user administrator from ::ffff:200.55.192.29 Failed

> password for invalid user administrator from ::ffff:200.55.192.29 port

> 36237 ssh2 Invalid user tads from ::ffff:200.55.192.29 Failed password

> for invalid user tads from ::ffff:200.55.192.29 port
> 36703 ssh2
> Invalid user tads from ::ffff:200.55.192.29 Failed password for
> invalid user tads from ::ffff:200.55.192.29 port
> 36813 ssh2
> Invalid user tads from ::ffff:200.55.192.29 Failed password for
> invalid user tads from ::ffff:200.55.192.29 port
> 37332 ssh2
> Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid

> user tip from ::ffff:200.55.192.29 port 37820 ssh2 Invalid user tip
> from ::ffff:200.55.192.29 Failed password for invalid user tip from
> ::ffff:200.55.192.29 port
> 38267 ssh2
> Invalid user tip from ::ffff:200.55.192.29 Failed password for invalid

> user tip from ::ffff:200.55.192.29 port
> 38757 ssh2
> Invalid user myra from ::ffff:200.55.192.29 Failed password for
> invalid user myra from ::ffff:200.55.192.29 port
> 38844 ssh2
> Invalid user myra from ::ffff:200.55.192.29 Failed password for
> invalid user myra from ::ffff:200.55.192.29 port
> 39333 ssh2
> Invalid user myra from ::ffff:200.55.192.29 Failed password for
> invalid user myra from ::ffff:200.55.192.29 port
> 39812 ssh2
> Invalid user jack from ::ffff:200.55.192.29 Failed password for
> invalid user jack from ::ffff:200.55.192.29 port
> 40312 ssh2
> Invalid user jack from ::ffff:200.55.192.29 Failed password for
> invalid user jack from ::ffff:200.55.192.29 port
> 40787 ssh2
> Invalid user jack from ::ffff:200.55.192.29 Failed password for
> invalid user jack from ::ffff:200.55.192.29 port
> 40893 ssh2
> Invalid user sya from ::ffff:200.55.192.29
>
>
> Each user name was tried three times. What does this mean...I dont
> know but right off hand I would guess that he is trying to lock out
> legit user accounts. You see some servers will disallow a user to log
> in if they entered three wrong passwords. This, strangely enough, is
> used to help stop brute forcing!!! Anyway, The attacker has put
> together a list of *potential* user names that *might* be found on my
> server and is attempting to lock them out...in effect creating a DoS
> to any users whose names appear on this list.
>
> He also knew right away when I changed the sshd port number and wasted

> no time in getting another machine to attack me via this port!
>
> Authorities arent going to help...Servers admin prob doesnt care plus
> the attacker most likely has access to any number of servers so
> writing the abuse lines could be a daily chore just to keep up...any
> recommendations?
>
> Any help / comments / flames appreciated
>
> take it easy...
> dave
>
> ----------------------------------------------------------------------
> ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The
> Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting
experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning, Computer Emergency Response Teams, and Digital
Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> -----
>
>

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • SSH server under attack...
    ... OK...within a few hours the server was being attacked again on port 2222. ... The router/firewall logs dont show any dropped packets sent to port 22 so he changed the port of the attack script. ... I scanned the machine and found that it is hosting a webserver Server at www.springs.cl) among other services. ... Invalid user admin from::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port ...
    (Security-Basics)
  • UT DDoS risk
    ... UDP 7778 is for server querying. ... - The host A send 1 empty UDP packet with the source IP of the host C ... (UT default port) ... The host A after 2 mins and 30 secs can restart the attack. ...
    (Bugtraq)
  • Re: Security problem
    ... simply to use a non-standard port. ... names and passwords, on large ranges of IP addresses. ... order to perform successful brute-force attack and that's ludicrous. ... DROP incoming packets for other ports (and what internet-facing server ...
    (comp.os.linux.development.apps)
  • Re: SSH server under attack...
    ... > My SSH server has been under DoS and I cant stop it!!! ... > I changed the port of the SSH server from 22 to 2222. ... the new machine to attack me is 200.55.192.29. ... > Computer Emergency Response Teams, ...
    (Security-Basics)
  • [NT] Web Browsers Vulnerable to the Extended HTML Form Attack
    ... inject HTML scripts, which makes use of the same method described in the ... The Original HTML form attack: ... server 7 open ...
    (Securiteam)