Security Incidents: Re: Weird SSH attack last night and this morning (still ongoing)

[Gary Baribault <gary () baribault net>]

Yeah, but I'm a masochist, I run these servers for the fun of it and to 
see what's happening on the net. I see all of the background static and 
every now and again I see somehting fun like this!
Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013




Darren Bolding wrote:
> And, not to pretend that it adds any great additional security to any 
> sort of attack, but running sshd on a non-standard port reduces the 
> number of scans/attacks I see dramatically- to the point that I 
> actually rarely see any connection attempts from anyone other than 
> authorized users.  It's simple, fast and doesn't require any packages 
> installed or anything.
> But that may not be an option for all user communities.
>
> --D
>
> On Wed, May 7, 2008 at 10:53 AM, Erin Carroll <amoeba () amoebazone com 
> <mailto:amoeba () amoebazone com>> wrote:
>     Gary,
>
>     I am seeing the exact same traffic pattern & attempts as of
>     ~10:20pm PST:
>     Single attempts to remote root ssh from disparate IP's with few
>     (if any)
>     repeated source location. So now we have a sample size of 2 :)
>
>     When I saw this hitting my servers last night I thought it an odd
>     attack
>     pattern but surmised it was either a targeted slow attack with
>     spoofed IP's
>     or a "slow roll" botnet using throttled connects to try flying
>     under the
>     radar for alerting. I was leaning toward the latter and even more
>     so now
>     that I see my organization isn't the only one.
>
>     Just block root ssh and apply a source IP whitelist for valid non-root
>     allows if you require remote ssh for day to day. I consider it bad
>     security
>     practice to allow remote root ssh anyway. People should use user
>     accounts
>     and a sane sudoers config instead.
>
>
>
>     --
>     Erin Carroll
>     Moderator, SecurityFocus pen-test mailing list
>     amoeba () amoebazone com <mailto:amoeba () amoebazone com>
>     "Do Not Taunt Happy-Fun Ball"
>
>
>
>     -----Original Message-----
>     From: Gary Baribault [mailto:gary () baribault net
>     <mailto:gary () baribault net>]
>     Sent: Wednesday, May 07, 2008 5:27 AM
>     To: incidents () securityfocus com <mailto:incidents () securityfocus com>
>     Subject: Weird SSH attack last night and this morning (still ongoing)
>
>     I don't know what is going on last night and this morning ... I have
>     three Linux servers facing the Internet, two on cable modems and
>     another
>     on a static IP/commercial connection and this last one is a
>     gateway to a
>     Web/FTP/SMTP/Pop3/NTP Linux based system.
>
>     I have DenyHosts installed on all three and have blocked about 75
>     attempts ..  from known compromised adresses .. The log shows
>     (obviously) that there where even more attempts from adresses that are
>     unknown to DenyHosts but there was only one login attemps per
>     adress and
>     it was with the Root account .. which is obviously blocked in my sshd
>     config ..
>
>     Of the three machines, one of them only had about 10 attempts, but the
>     other two had about 200 attempts .. all of them with only 1 try
>     with the
>     user Root ..
>
>     Is any one else seing this? or am I being targeted? This is still
>     going
>     on now .. and it started arround 10:00 last night GMT+4
>
>     --
>     Gary Baribault
>     Courriel: gary () baribault net <mailto:gary () baribault net>
>     GPG Key: 0x4346F013
>     GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>
>
>
>
> --
> -- Darren Bolding --
> -- darren () bolding org <mailto:darren () bolding org> --