| View previous topic :: View next topic |
| Author |
Message |
bfloeagle
Tux's lil' helper
Joined: 02 May 2003
Posts: 82
|
 Posted: Sat Jun 23, 2007 3:12 am Post subject: Brute Force SSH Attack... How to stop it... |
 |
|
I noticed in /var/log/messages a bunch of people have been trying to brute force login to my box via SSH. The box is online and open to the Internet via SSH (it's how I connect) but I thought it was a little more proactive at detecting intrusions than I thought...
| Code: | ...just a snippet, thousands more grouped in relative short time periods from similar ip's, probably a cable/dsl modem getting a new IP each time...
Jun 19 15:14:02 ds9 sshd[16052]: Invalid user samba from 220.227.XXX.XXX
Jun 19 15:14:04 ds9 sshd[16064]: Invalid user tomcat from 220.227.XXX.XXX
Jun 19 15:14:07 ds9 sshd[16068]: Invalid user webadmin from 220.227.XXX.XXX
Jun 19 15:14:11 ds9 sshd[16072]: Invalid user spam from 220.227.XXX.XXX
Jun 19 15:14:14 ds9 sshd[16076]: Invalid user virus from 220.227.XXX.XXX
Jun 19 15:14:17 ds9 sshd[16080]: Invalid user cyrus from 220.227.XXX.XXX
Jun 19 15:14:21 ds9 sshd[16084]: Invalid user oracle from 220.227.XXX.XXX
Jun 19 15:14:24 ds9 sshd[16088]: Invalid user michael from 220.227.XXX.XXX
Jun 19 15:14:28 ds9 sshd[16092]: Invalid user ftp from 220.227.XXX.XXX
Jun 19 15:14:31 ds9 sshd[16096]: Invalid user test from 220.227.XXX.XXX
Jun 19 15:14:33 ds9 sshd[16100]: Invalid user webmaster from 220.227.XXX.XXX
Jun 19 15:14:39 ds9 sshd[16108]: Invalid user postfix from 220.227.XXX.XXX
Jun 19 15:14:42 ds9 sshd[16112]: Invalid user postgres from 220.227.XXX.XXX
Jun 19 15:14:45 ds9 sshd[16116]: Invalid user paul from 220.227.XXX.XXX
Jun 19 15:14:52 ds9 sshd[16124]: Invalid user guest from 220.227.XXX.XXX
Jun 19 15:14:56 ds9 sshd[16128]: Invalid user admin from 220.227.XXX.XXX
Jun 19 15:14:59 ds9 sshd[16132]: Invalid user linux from 220.227.XXX.XXX
Jun 19 15:15:02 ds9 sshd[16136]: Invalid user user from 220.227.XXX.XXX
Jun 19 15:15:06 ds9 sshd[16140]: Invalid user david from 220.227.XXX.XXX
Jun 19 15:15:10 ds9 sshd[16144]: Invalid user web from 220.227.XXX.XXX
Jun 19 15:15:13 ds9 sshd[16148]: Invalid user apache from 220.227.XXX.XXX
Jun 19 15:15:16 ds9 sshd[16152]: Invalid user pgsql from 220.227.XXX.XXX
Jun 19 15:15:18 ds9 sshd[16156]: Invalid user mysql from 220.227.XXX.XXX
Jun 19 15:15:21 ds9 sshd[16160]: Invalid user info from 220.227.XXX.XXX
Jun 19 15:15:24 ds9 sshd[16164]: Invalid user tony from 220.227.XXX.XXX
Jun 19 15:15:27 ds9 sshd[16168]: Invalid user core from 220.227.XXX.XXX
Jun 19 15:15:30 ds9 sshd[16172]: Invalid user newsletter from 220.227.XXX.XXX
Jun 19 15:15:36 ds9 sshd[16176]: Invalid user named from 220.227.XXX.XXX
Jun 19 15:15:39 ds9 sshd[16180]: Invalid user visitor from 220.227.XXX.XXX
Jun 19 15:15:41 ds9 sshd[16184]: Invalid user ftpuser from 220.227.XXX.XXX
Jun 19 15:15:44 ds9 sshd[16188]: Invalid user username from 220.227.XXX.XXX
Jun 19 15:15:47 ds9 sshd[16192]: Invalid user administrator from 220.227.XXX.XXX
Jun 19 15:15:50 ds9 sshd[16196]: Invalid user library from 220.227.XXX.XXX
Jun 19 15:15:53 ds9 sshd[16200]: Invalid user test from 220.227.XXX.XXX
Jun 19 15:16:01 ds9 sshd[16212]: Invalid user admin from 220.227.XXX.XXX
Jun 19 15:16:04 ds9 sshd[16216]: Invalid user guest from 220.227.XXX.XXX
Jun 19 15:16:11 ds9 sshd[16220]: Invalid user master from 220.227.XXX.XXX
Jun 19 15:16:35 ds9 sshd[16244]: Invalid user admin from 220.227.XXX.XXX
Jun 19 15:16:38 ds9 sshd[16248]: Invalid user admin from 220.227.XXX.XXX
Jun 19 15:16:40 ds9 sshd[16252]: Invalid user admin from 220.227.XXX.XXX
Jun 19 15:16:44 ds9 sshd[16256]: Invalid user admin from 220.227.XXX.XXX
Jun 19 15:16:52 ds9 sshd[16268]: Invalid user test from 220.227.XXX.XXX
Jun 19 15:16:56 ds9 sshd[16272]: Invalid user test from 220.227.XXX.XXX
Jun 19 15:16:59 ds9 sshd[16276]: Invalid user webmaster from 220.227.XXX.XXX
Jun 19 15:17:03 ds9 sshd[16280]: Invalid user username from 220.227.XXX.XXX
Jun 19 15:17:09 ds9 sshd[16284]: Invalid user user from 220.227.XXX.XXX |
Since I connect from a bunch of different places, I can't really lock down SSH to only allow connections from particular hosts. I realize that a box on the Internet is prone to these type of attempts but how to I stop them after the same host tries to authenticate and fails after a few times??? How do I stop an IP from making connections to my box after a few failed or invalid logon attempts? Can SSH do it or is there another intrusion detection system I can install?
Thanks!
Andy |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21602
|
| Posted: Sat Jun 23, 2007 3:55 am Post subject: |
|
|
| The package net-analyzer/fail2ban is often recommended for this purpose. |
|
| Back to top |
|
|
papafox
n00b
Joined: 15 Feb 2007
Posts: 5
|
| Posted: Sat Jun 23, 2007 5:25 am Post subject: |
|
|
Try app-admin/denyhosts. It is specifically designed to handle SSH brute force attacks. As attacks are detected, the originating IP address is posted to a shared database. This lets denyhosts refuse the SSH connection before the attack has a chance to develop. IP's are un-banned after a configurable timeout.
It also has the effect of making SSH attacks less profitable. If enough site have denyhosts installed, attackers will find that their IP becomes useless after a short period of time. The reward-to-effort ratio will be reduced considerably. |
|
| Back to top |
|
|
Dralnu
Veteran
Joined: 24 May 2006
Posts: 1919
|
| Posted: Sat Jun 23, 2007 6:28 am Post subject: |
|
|
Problem being that banning an IP is a pretty lousy way to ban someone. Hell, unless you have a static IP, all you have to do is power off/on your modem, grab a new IP, and keep going. Or spoof a new one, though that CAN be ignored and the real IP found...
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
| Back to top |
|
|
papafox
n00b
Joined: 15 Feb 2007
Posts: 5
|
| Posted: Sat Jun 23, 2007 6:57 am Post subject: |
|
|
| Dralnu wrote: | | Problem being that banning an IP is a pretty lousy way to ban someone. Hell, unless you have a static IP, all you have to do is power off/on your modem, grab a new IP, and keep going. Or spoof a new one, though that CAN be ignored and the real IP found... |
What you say is true ... but not applicable in this case.
The way these attacks work is that someone writes a script which does a port scan and builds a list of IP's with a SSH listener. Then it works through the list repeatedly connecting and trying a different userid/password combination. Once the script manages a successful login, it copies the script, plus a backdoor IRC daemon to the user account. The backdoor reports success to a webserver somewhere and starts listening for commands using IRC (which typically tell it to send spam or run DOS attacks). The attack script then starts running on the new machine to try and spread to other machines on the local LAN. These scripts are typically written in perl (since most machines which have SSH would have perl as well). Also, note these scripts are running on ordinary user accounts, they don't need root.
So, since they are automated scripts rather than real people, the IP address will not (probably) be changing and banning the IP address is a successful way of defeating these attacks.
The app-admin/denyhosts package has three functions - it detects attacks by monitoring the log for multiple SSH login failures; it regularly replicates a shared database of known attackers; and it maintains the /etc/hosts.deny config file to allow SSH to pre-emptively deny connections from attackers. The entries in /etc/deny.hosts can be configured to block all connections from the attacking IP address or just those to SSH. If you are running Shorewall, there is an interface to add the attacker to the Shorewall block list so that all packets (not just TCP connections) are dropped.
While blocking an IP address not seem to be workable, in this case it is an actually extremely effective solution. The key feature is the ability to deny access to the attacker before they begin the attack. |
|
| Back to top |
|
|
Dralnu
Veteran
Joined: 24 May 2006
Posts: 1919
|
| Posted: Sat Jun 23, 2007 7:09 am Post subject: |
|
|
The basic "You can't stop them all, just the script-kiddies" idea?
I understand your point, but I wanted to make sure that was understood.
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5934
|
| Posted: Sat Jun 23, 2007 8:55 am Post subject: |
|
|
| papafox wrote: | | While blocking an IP address not seem to be workable, in this case it is an actually extremely effective solution. The key feature is the ability to deny access to the attacker before they begin the attack. |
that's why i outright cidr ban asian countries, and hosting providers... tired of dns/ftp/web servers being hijacked and used to ssh/ftp/mail "spam".  
haven't had to do it very often to north american networks, but verizon has pissed me off on a couple occasions, and so has level3. 
you would think with how isp's treat their end users, having to sign a non-hack/spam eula, that they would do something about these attacks that spawn from their network... i'd just love to see serverpronto or ev1servers get their internet access revoked due to their spammyness.
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
Cyker
Veteran
Joined: 15 Jun 2006
Posts: 1746
|
| Posted: Sat Jun 23, 2007 1:34 pm Post subject: |
|
|
That sort of stuff is just to cover the ISP's ass, not protect us from their users.
I used to do reverse traces with a full nmap workup on IP's that were trying to break into my box, but I never got a single reply or anything done about it from the ISP.
Now I go with the general consensus on slashdot, which is just to ignore them.
I wrote my own set of rules using the SEC daemon, which works similarly to denyhosts (Except I can read it and modify it myself more easily).
That seems to have done the trick, although since I switched ISPs and now have a static address I've noticed some more sophisticated attacks recently 
To counter it, in addition to the existing rules ("Did not recieve identification"=instant ban, 3-login fails=instant ban) I put in a random 2-10s delay with each login attempt.
I also want to set up some sort of port-knocking thing, but I need a router (And client!) that supports it first... |
|
| Back to top |
|
|
pdr
l33t
Joined: 20 Mar 2004
Posts: 618
|
| Posted: Sat Jun 23, 2007 7:57 pm Post subject: |
|
|
| I changed my port from 22 and get a hack attempt maybe once a year. This was actually a side benefit; had to use a different port to be able to log in from work through their firewall.. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5934
|
| Posted: Sat Jun 23, 2007 8:39 pm Post subject: |
|
|
| pdr wrote: | | I changed my port from 22 and get a hack attempt maybe once a year. This was actually a side benefit; had to use a different port to be able to log in from work through their firewall.. |
that is always an option, but i don't consider that a proper option as port 22 was designated for ssh. why should i have to change my ports just to prevent network spam? these people shouldn't be letting their boxes get hijacked in the first place. like seriously, how hard is it to keep a web server secure? i've run mail/web/ftp/ssh and stuff for years and never had an intrusion. maybe i'm lucky, or maybe i'm actually keeping my boxes up to date. i still place all the blame on the hosting companies for not securing their networks.
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
pdr
l33t
Joined: 20 Mar 2004
Posts: 618
|
| Posted: Sat Jun 23, 2007 11:15 pm Post subject: |
|
|
| I don't get philosophical when it comes to administering my server or workstation. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5934
|
| Posted: Sun Jun 24, 2007 4:11 am Post subject: |
|
|
i just don't see why end-users get the shaft while big companies and foreign networks can violate the rest of the internet. i demand equality. 
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
richmastaplus
Tux's lil' helper
Joined: 29 Nov 2005
Posts: 127
Location: Canada
|
| Posted: Sun Jun 24, 2007 6:58 pm Post subject: |
|
|
| Will somebody tell me how to block all ips except north america, if not how do i just block asia. As that is where I'm getting attacks from. |
|
| Back to top |
|
|
Dralnu
Veteran
Joined: 24 May 2006
Posts: 1919
|
| Posted: Sun Jun 24, 2007 10:07 pm Post subject: |
|
|
I'd block Asia, Africa, parts of eastern Europe, and more then likely the pacific islands...
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
| Back to top |
|
|
jlh
Tux's lil' helper
Joined: 06 May 2007
Posts: 145
Location: Switzerland::Zürich
|
| Posted: Sun Jun 24, 2007 10:44 pm Post subject: |
|
|
See also this thread about the same topic.
You could try to implement some enable-ssh-on-demand trickery, I've seen this somewhere on the net once. The basic idea is that SSH is banned for everyone. To unblock it, an IP needs to make a dummy connection to a different port, which will unblock SSH for this IP only for a while (or permanently, at your wish).
I don't think banning by location is a great idea, as attacks come from everywhere anyway (often from already compromised systems, which really can be anywhere in the world). I'd suggest to ban anyone that tries wrong usernames (or maybe anyone that makes more than 5 connections in a row), that seems the most effective to me. I'm running a honeypot and the almost 39'000 SSH connections that I got in the last 3 weeks all came from the same 79 different IPs. That means you really don't want to ban almost all the world, but you want to ban the bad guys as they appear, and they're easy to spot. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21602
|
| Posted: Mon Jun 25, 2007 12:26 am Post subject: |
|
|
| jlh wrote: | | You could try to implement some enable-ssh-on-demand trickery, I've seen this somewhere on the net once. The basic idea is that SSH is banned for everyone. To unblock it, an IP needs to make a dummy connection to a different port, which will unblock SSH for this IP only for a while (or permanently, at your wish). |
For the benefit of future readers: this is often referred to as "port knocking." From what I have read, some people have come up with very elaborate knocking schemes based on timing, ordering, and even the content of the packets sent to the knocked ports. For example, must receive a SYN to 13529, then a data packet with string "foo" to port 25089 (despite no actual connection or service on that port), etc. Beware that as your scheme gets more elaborate, you increase the difficulty of performing the knock successfully, as well as increasing the risk that some highly stateful firewall may drop some of your knock packets for being "invalid" according to its state tracking tables.
There is a package in Portage called net-misc/knock, which is described as "A simple port-knocking daemon." |
|
| Back to top |
|
|
Dralnu
Veteran
Joined: 24 May 2006
Posts: 1919
|
| Posted: Mon Jun 25, 2007 12:54 am Post subject: |
|
|
Let me guess, you could run this all the way up to changing the knock some to setup an encrypted contection with a specific key?
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21602
|
| Posted: Mon Jun 25, 2007 4:11 am Post subject: |
|
|
| Dralnu wrote: | | Let me guess, you could run this all the way up to changing the knock some to setup an encrypted contection with a specific key? |
Probably, but that sounds overly complex. I would go with using a port knock to protect a VPN daemon, then establish a VPN to get the encryption.  |
|
| Back to top |
|
|
Dralnu
Veteran
Joined: 24 May 2006
Posts: 1919
|
| Posted: Mon Jun 25, 2007 4:17 am Post subject: |
|
|
| Hu wrote: | | Dralnu wrote: | | Let me guess, you could run this all the way up to changing the knock some to setup an encrypted contection with a specific key? |
Probably, but that sounds overly complex. I would go with using a port knock to protect a VPN daemon, then establish a VPN to get the encryption. |
So you wouldn't want to try and make an electronic Enigma machine? Personally, I'd look into setting up a formula to the knocks, otherwise someone could still sniff out your little port drum solo, and mimic it to get access...
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon Jun 25, 2007 7:08 am Post subject: |
|
|
| Dralnu wrote: | | Hu wrote: | | Dralnu wrote: | | Let me guess, you could run this all the way up to changing the knock some to setup an encrypted contection with a specific key? |
Probably, but that sounds overly complex. I would go with using a port knock to protect a VPN daemon, then establish a VPN to get the encryption. |
So you wouldn't want to try and make an electronic Enigma machine? Personally, I'd look into setting up a formula to the knocks, otherwise someone could still sniff out your little port drum solo, and mimic it to get access... |
A bit paranoid, isn't it? To make that happen $attacker would need to be able to sniff either your access line at home (not impossible but at least non-trivial) or the location you're knocking from (pretty impossible as it could be theoretically everywhere).
Anyways, paranoid souls could hack something with OTP.
a) pre-generate yourself a list of one-time passwords to take with you
b) implement a knock daemon which uses that list, of course every OTP only once
each of the six 2-4 letter words are interpreted as a hex-value for the port which needs to be knocked to. With each successful knock-sequence the knock-daemon drops that from the list and waits for the next one.
When the knock is sucessful the ssh (or openvpn) daemon are started and configured to allow the knockers ip only for e.g. 2 minutes.
If no sucessful connect is established with that within those 2 minutes the daemon gets killed again and if you like the ip dropped with iptables.
With that $attacker would need to guess the correct knock sequence first (practically impossible) plus then needs to hack the (certificate or public key _only_) openvpn/ssh within the next two minutes (practically impossible) and (s)he has only one try per IP (ok, every good attacker has a big zombie network for this but hey ...) and you'd know that an attack happened afterwards (unless (s)he's clever enough to re-setup the knock-daemon [not too hard] with the correct next knock sequence [pretty much impossible as s(h)e need to know the actual pointer to the list the knock daemon points at i.e. (s)he'd need to find that in a memory dump] - of course that should be mad impossible with utilizing selinux and alike).
/paranoia off
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
bfloeagle
Tux's lil' helper
Joined: 02 May 2003
Posts: 82
|
| Posted: Mon Jun 25, 2007 3:16 pm Post subject: |
|
|
...
Talk about unleashing the floodgates... Thanks for the tips everyone.
...now get back to the discussion... |
|
| Back to top |
|
|
Dralnu
Veteran
Joined: 24 May 2006
Posts: 1919
|
| Posted: Mon Jun 25, 2007 8:25 pm Post subject: |
|
|
| Think4UrS11 wrote: | | Dralnu wrote: | | Hu wrote: | | Dralnu wrote: | | Let me guess, you could run this all the way up to changing the knock some to setup an encrypted contection with a specific key? |
Probably, but that sounds overly complex. I would go with using a port knock to protect a VPN daemon, then establish a VPN to get the encryption. |
So you wouldn't want to try and make an electronic Enigma machine? Personally, I'd look into setting up a formula to the knocks, otherwise someone could still sniff out your little port drum solo, and mimic it to get access... |
A bit paranoid, isn't it? To make that happen $attacker would need to be able to sniff either your access line at home (not impossible but at least non-trivial) or the location you're knocking from (pretty impossible as it could be theoretically everywhere).
Anyways, paranoid souls could hack something with OTP.
a) pre-generate yourself a list of one-time passwords to take with you
b) implement a knock daemon which uses that list, of course every OTP only once
each of the six 2-4 letter words are interpreted as a hex-value for the port which needs to be knocked to. With each successful knock-sequence the knock-daemon drops that from the list and waits for the next one.
When the knock is sucessful the ssh (or openvpn) daemon are started and configured to allow the knockers ip only for e.g. 2 minutes.
If no sucessful connect is established with that within those 2 minutes the daemon gets killed again and if you like the ip dropped with iptables.
With that $attacker would need to guess the correct knock sequence first (practically impossible) plus then needs to hack the (certificate or public key _only_) openvpn/ssh within the next two minutes (practically impossible) and (s)he has only one try per IP (ok, every good attacker has a big zombie network for this but hey ...) and you'd know that an attack happened afterwards (unless (s)he's clever enough to re-setup the knock-daemon [not too hard] with the correct next knock sequence [pretty much impossible as s(h)e need to know the actual pointer to the list the knock daemon points at i.e. (s)he'd need to find that in a memory dump] - of course that should be mad impossible with utilizing selinux and alike).
/paranoia off |
Why 2 minutes? Make it 30 seconds, and instead of using six 2-4 letter words, maybe require six 24-letter words (someone here have a medical dictionary handy?) translated into binary Latin and encrypted with 512-bit encryption, just to make it a little bit harder.
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
| Back to top |
|
|
bfloeagle
Tux's lil' helper
Joined: 02 May 2003
Posts: 82
|
| Posted: Mon Jun 25, 2007 8:39 pm Post subject: |
|
|
| Dralnu wrote: | | Why 2 minutes? Make it 30 seconds, and instead of using six 2-4 letter words, maybe require six 24-letter words (someone here have a medical dictionary handy?) translated into binary Latin and encrypted with 512-bit encryption, just to make it a little bit harder. |
Social engineering sounds easier at this point... I am your long lost third cousin on your father's mother's aunt's side second removed anyway... |
|
| Back to top |
|
|
Dralnu
Veteran
Joined: 24 May 2006
Posts: 1919
|
| Posted: Mon Jun 25, 2007 9:03 pm Post subject: |
|
|
Good idea - use a researchable family tree to figure out which ports to knock...
_________________
The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
| Back to top |
|
|
timeBandit
Bodhisattva
Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit
|
| Posted: Mon Jun 25, 2007 9:34 pm Post subject: |
|
|
| Dralnu wrote: | | Good idea - use a researchable family tree to figure out which ports to knock... |
...and Bob's your uncle. 
/me ducks
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
|
Networking & Security
