Home page logo
/

basics logo Security Basics mailing list archives

Re: SSH server under attack...
From: Daniel Cid <danielcid () yahoo com br>
Date: Fri, 10 Feb 2006 12:48:01 -0300 (ART)

Take a look at the OSSEC HIDS. It analyses sshd logs,
firewall logs, ids logs, etc. It execute responses
based on the rules, so you can block automated scans
(via iptables ,ipfilter, hosts.deny, etc).
It also performs integrity checking and rootkit
detection.. 

More info: http://www.ossec.net/hids/

Thanks,

Daniel B. Cid

--- Juan Hernandez <hvjuan () kanux com> escreveu:

Hey there...

What if there is some 'automated daemon' running
thru the logs and once 
it sees an ip address doing this, add a chain to
iptables?

I did this in python about a year ago, reading the
logs once every hour 
-cron process- and if someone tries to log with at
least 5 diffent 
users, it adds a chain to my iptables settings and
that's it, the 
attacker is blocked

Also, there are many open source tools that might do
a similar task

Juan

Isaac Perez wrote:

All of your users connect by ssh?
If only admins need to connect you can change the
configuration to 
only allow one ssh user to connect, with a
extrange name. At least you 
will be sure that the user never will be in a
common list.
And after you can su to the user you want.
Alsoo you can contact to the ISP of the servers
that attacks you, I do 
that, and sometimes works.
Alsoo you can configure tcpwrapers,or any software
similar, to close 
and discard any connection when a ip try to
connect so many times.

En/na Dave ha escrit:

My SSH server has been under DoS and I cant stop
it!!!

I changed the port of the SSH server from 22 to
2222. This isnt going to
really do much but it would stop some automated
script that attacks port
22. OK...within a few hours the server was being
attacked again on port
2222. This is an *active* attacker, active in
that he is actively
monitoring what he is doing. The router/firewall
logs dont show any
dropped packets sent to port 22 so he changed the
port of the attack
script. Now, the new machine to attack me is
200.55.192.29. This belongs
to a company in south america called 'Springs
South America Textiles
Ltda.'. I scanned the machine and found that it
is hosting a webserver
(Apache/2.0.52 (Fedora) Server at www.springs.cl)
among other services.
The last machine the attacker used to brute_force
me was also an apache
server (rh linux). So this attacker is cracking
various webservers (most
likely) or some other service on these boxes in
order to use these
machines as an attack platform. Now, yes, i
notified the admin of this
company etc..but think of this. If this admin is
going to put an
*unused* and unprotected server on the net then
what kind of admin is
he? Will he even care about my email? Who knows!
Calling the authorities
is not going to work 'cause frankly I am a
nobody...who cares if my
servers are under attack! No one is going to
waste resource (money) in
trying to find this guy, so really its up to me.
So what do we know
about this guy? At first the info seems
conflicting: He has the ability
to crack a number of random servers and use them
at his disposal but he
is running the same stupid attack over and
over...why? First off, the
attack is a brute force attack. He is trying to
guess a username
password combo in order to be able to log into my
server and get shell
access...but maybe not. Like I said..he is no
dummy. So what is he
doing? I think DoS (denial of service) , the
brute force tool is just
the means to an end. He isnt trying to break in
by doing this. Maybe he
coudnt break in to my server so he is resorting
to the next trick up his
sleeve. By having all these machines attempting
to log into my server
over and over he might be trying to use up my
bandwidth in effect
causing a DoS to anyone! OR...In closely looking
at the logs you will
notice something *unusual*:

Failed password for invalid user admin from
::ffff:200.55.192.29 port
34182 ssh2
Invalid user admin from ::ffff:200.55.192.29
Failed password for invalid user admin from
::ffff:200.55.192.29 port
34679 ssh2
Invalid user admin from ::ffff:200.55.192.29
Failed password for invalid user admin from
::ffff:200.55.192.29 port
34752 ssh2
Invalid user administrator from
::ffff:200.55.192.29
Failed password for invalid user administrator
from ::ffff:200.55.192.29
port 35253 ssh2
Invalid user administrator from
::ffff:200.55.192.29
Failed password for invalid user administrator
from ::ffff:200.55.192.29
port 35735 ssh2
Invalid user administrator from
::ffff:200.55.192.29
Failed password for invalid user administrator
from ::ffff:200.55.192.29
port 36237 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from
::ffff:200.55.192.29 port
36703 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from
::ffff:200.55.192.29 port
36813 ssh2
Invalid user tads from ::ffff:200.55.192.29
Failed password for invalid user tads from
::ffff:200.55.192.29 port
37332 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from
::ffff:200.55.192.29 port
37820 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from
::ffff:200.55.192.29 port
38267 ssh2
Invalid user tip from ::ffff:200.55.192.29
Failed password for invalid user tip from
::ffff:200.55.192.29 port
38757 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from
::ffff:200.55.192.29 port
38844 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from
::ffff:200.55.192.29 port
39333 ssh2
Invalid user myra from ::ffff:200.55.192.29
Failed password for invalid user myra from
::ffff:200.55.192.29 port
39812 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from
::ffff:200.55.192.29 port
40312 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from
::ffff:200.55.192.29 port
40787 ssh2
Invalid user jack from ::ffff:200.55.192.29
Failed password for invalid user jack from
::ffff:200.55.192.29 port
40893 ssh2
Invalid user sya from ::ffff:200.55.192.29


Each user name was tried three times. What does
this
mean...I dont know but right off hand I would
guess that he is trying to
lock out legit user accounts. You see some
servers will disallow a user
to log in if they entered three wrong passwords.
This, strangely enough,
is used to help stop brute forcing!!! Anyway, The
attacker has put
together a list of *potential* user names that
*might* be found on my
server and is attempting to lock them out...in
effect creating a DoS to
any users whose names appear on this list.

=== message truncated ===



        



        
                
_______________________________________________________ 
Yahoo! doce lar. Fa├ža do Yahoo! sua homepage. 
http://br.yahoo.com/homepageset.html 


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault