Re: ssd attacks; worm? and precautionary steps

From: jayjwa (jayjwa_at_nowhere.org)
Date: 08/23/05 

Date: Tue, 23 Aug 2005 04:11:05 -0000

On 2005-08-22, H.S. wrote:

> Thanks for the info. A little more serious search coughed up sshf binary
> that was reported on Full Disclosure and is also mentioned on Gentoo
> website. That particular script, it appears is not intelligent at all.

Be careful with those binaries, almost all that I've seen are infected with
Linux viruses RST and OSF. I've been following this for awhile, since it
started in great mass, a little before the site you refer to posted about it.

The worst one I had was 12 minutes long, but I've always had really long
complex passwords so they didn't get jack. (I did however report the ***
and got his account closed, his ISP confirmed it after I sent in the full 12
minutes worth of logged attempts). I've posted here about it before, so I
won't rehash what I already said too much, but basically what you're seeing
are amateur script kiddies using one of several programs to bruteforce weak
passwords. There are a few scripts that are semi-automated (making them
worms, I guess you could say) like the other poster said, but these are pretty
rare to find. Almost always it's a human hacker, attacking from the last
machine they took over in the same way. A few start out from home (the real
dumb ones) and those you can complain about and get shutdown. Once they do get
into a site, they use that for their next attacks, usually installing rootkits
along with it. Most of the ready-made binaries you find are virus-infected. I
have both samples of these and also the C sources for the programs they use,
but I don't think it's wise to post them here. Besides, they're not hard to
find if you look.

I did the following and don't worry about ssh attacks anymore:

-public key auth. only. Protocol 2 only.

-moved sshd off port 22 (it's not got hit once, since then)

-dropped all traffic from places like Hinet.net, Kornet.net, all of Korea and
all of China. These were by and large the biggest source of attackers, and
worse, they didn't give a rat's ass if you reported to them that someone was
attacking you. They just don't care about anyone else and that's the main
reason that I permanently blocked them.

-used tcpwrappers to deny some places I know users will never be logging in from

-use AllowUsers and DenyUsers in sshd_config to limit who can ssh

-no root, ever

-left this rule for anyone still wanting to probe my (old) ssh port:
  iptables -A INPUT -i ppp0 -p tcp --dport 22 -j TARPIT

I don't know any distros that include the TARPIT extension, but you can get
that (and alot of other cool iptables add-on's) by building your own kernel
patched with the patch-o-matic from http://www.netfilter.org/ or
ftp://ftp.netfilter.org/ sites. The iprange match module comes in handy, in
particular.

The good news is they are getting to be less and less down from about a year's
worth of attacks at a sickening rate. I made a reporting script that prints
the attackers out each night, and that list is getting smaller and smaller,
at least in my corner of the 'Net. 

-- 
I still want to know what dim bulb thought that UPnP was 
a good idea. I mean, c'mon.  A defined API so malware can 
send a "Pants Down!" command to the firewall?  
What were they *thinking*?  -Valdis Kletniek