Re: ssd attacks; worm? and precautionary steps

From: Barton L. Phillips (bartonphillips_at_sbcglobal.net)
Date: 08/21/05

  • Next message: Newsbox: "Re: filtering access to internet via programs - HOW?" 
    Date: Sun, 21 Aug 2005 19:21:00 GMT

    H.S. wrote:
    > Hi,
    >
    > Many people are now aware of the sshd attackes that one gets on his/her
    > linux box connected to the internet and running an SSH server.
    >
    > I am wondering, is this just a script? Or a worm? Does the program
    > responsible for these attacks have a name yet? One could write a brute
    > force script that implements such an attack, but I wonder if the actual
    > rogue script is availabe. I indend to run a lapton with a live linux CD,
    > connect it on my home LAN and see if I can use that script to hack into
    > it -- and also to check security on my other machines.
    >
    > So far, I have taken the following steps to prevent being compromised
    > from these attacks:
    >
    > 1. In my ssh server, I do not allow root login remotely and allow only
    > certain users to login via ssh.
    >
    > 2. I make sure that the users who are allowed ssh access have good
    > passwords.
    >
    > 3. I have the following rules in my iptables script( where SSH_PORT=22,
    > SSH_PORTS=1024:65535):
    > #-----------------------------------------------------------
    > if [ $SSH_SERVER -gt 0 ]; then
    > #if any hosts are specified to be allowed access, give it here.
    > for IPADDR in $SSH_ALLOW_CLIENTS; do
    > echo "Allowing SSH access to host IP: $IPADDR"
    > #allow only already established and related in
    > $IPTABLES -A INPUT -i $EXTIF -p TCP \
    > -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \
    > -m state --state ESTABLISHED,RELATED -j ACCEPT
    > #limit the rate at which new connects are allowed
    > $IPTABLES -A INPUT -i $EXTIF -p TCP \
    > -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \
    > -m state --state NEW -m limit --limit 1/m --limit-burst 5 \
    > -j ACCEPT
    > # drop the new connections that violate the rate limit above
    > $IPTABLES -A INPUT -i $EXTIF -p TCP \
    > -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \
    > -m state --state NEW -j DROP
    > done
    > #allow OUT going SSH requests.
    > $IPTABLES -A OUTPUT -o $EXTIF -p TCP ! --syn \
    > --sport $SSH_PORT --dport $SSH_PORTS -j ACCEPT
    > fi
    > #-----------------------------------------------------------
    >
    > I used to see many attempts in /var/log/syslog (on Debian Testing,
    > 2.6.11 kernel). After the iptables limit rule implementation (based on
    > the other thread about "Dictionary sshd attacks" in
    > comp.os.linux.security), I got this today in my syslog file:
    > #-----------------------------------------------------
    > Aug 21 12:44:20 localhost sshd[19143]: Did not receive identification
    > string from ::ffff:211.22.160.242
    > Aug 21 12:56:15 localhost sshd[19161]: reverse mapping checking
    > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE
    > BREAKIN ATTEMPT!
    > Aug 21 12:56:15 localhost sshd[19161]: User root not allowed because not
    > listed in AllowUsers
    > Aug 21 12:56:17 localhost sshd[19163]: Illegal user admin from
    > ::ffff:211.22.160.242
    > Aug 21 12:56:17 localhost sshd[19163]: reverse mapping checking
    > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE
    > BREAKIN ATTEMPT!
    > Aug 21 12:56:20 localhost sshd[19165]: Illegal user test from
    > ::ffff:211.22.160.242
    > Aug 21 12:56:20 localhost sshd[19165]: reverse mapping checking
    > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE
    > BREAKIN ATTEMPT!
    > Aug 21 12:56:22 localhost sshd[19167]: Illegal user guest from
    > ::ffff:211.22.160.242
    > Aug 21 12:56:22 localhost sshd[19167]: reverse mapping checking
    > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE
    > BREAKIN ATTEMPT!
    > Aug 21 12:56:25 localhost sshd[19169]: Illegal user webmaster from
    > ::ffff:211.22.160.242
    > Aug 21 12:56:25 localhost sshd[19169]: reverse mapping checking
    > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE
    > BREAKIN ATTEMPT!
    > #-----------------------------------------------------
    >
    > And after the last 5 attempts, the future packets were dropped:
    > # iptables -nvL | grep -B2 -A2 'limit'
    > 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0
    > 0.0.0.0/0 tcp spt:22 dpts:1024:65535 flags:!0x16/0x02
    > 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0
    > 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state RELATED,ESTABLISHED
    > 6 360 ACCEPT tcp -- ppp0 * 0.0.0.0/0
    > 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW limit: avg
    > 1/min burst 5
    > 3 180 DROP tcp -- ppp0 * 0.0.0.0/0
    > 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW
    > 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0
    > 0.0.0.0/0 tcp spt:21 dpts:1024:65535 flags:!0x16/0x02
    >
    >
    >
    > These preventive steps make me feel better. The limit rule in iptables
    > gives added security since on one can just go on trying various
    > passwords now.
    >
    > And my queries now are:
    > 1. Does the rogue worm/script/program have a name? Where can I get it from?
    > 2. I occasionally use my D-Link DI-604 router to connect to my ISP. Does
    > anybody have any idea if that particular router is running an SSH server
    > and is prone to such attacks (any defualt accounts with none or weak
    > passwords)?
    >
    > regards,
    > ->HS
    >
    You may want to move SSH to another port instead of the default 22. I
    did this an have seen no ssh attacks since. Another good practice is to
    only allow public/private key access instead of passwords (if possible).

    Sorry I can't answer your two questions however.

  • Next message: Newsbox: "Re: filtering access to internet via programs - HOW?"

    Relevant Pages

    • Re: Repeated attacks via SSH
      ... We're starting to see a rash of password guessing attacks via SSH ... on all of our exposed BSD servers which are running an SSH daemon. ... they're being carried out by a network of "bots" rather than a single ... is that the user IDs for which passwords are being guessed aren't ...
      (FreeBSD-Security)
    • Repeated attacks via SSH
      ... We're starting to see a rash of password guessing attacks via SSH ... is that the user IDs for which passwords are being guessed aren't ...
      (FreeBSD-Security)
    • Re: [SLE] stopping dictionary attacks on sshd (a tcp_wrappers problem)
      ... ssh login does not work when one has just booted, until jifie gets 0 and starts incrementing, then it works. ... We need open ssh connections from the outside. ... We want to defend against these attacks in a reasonable way. ... logsurfer is used because I don't know a better log watching and event ...
      (SuSE)
    • Re: illegal and failed logins from virus?
      ... >>they are virus type attacks, and the IP addresses of the attempted ... >>is the only open port on this machine (which is obviously open to ... >>internet), and the passwords are in place, no root login, only few users ... > So I moved SSH to another port, replacing it on port 22 with a script ...
      (comp.security.ssh)
    • RE: Deliberately create slow SSH response?
      ... Asunto: RE: Deliberately create slow SSH response? ... The brute force attacks are most likely automated, ... Have you thought about limiting access to the service to only certain IPs? ...
      (SSH)