From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:01:35 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B313616A41F for ; Sun, 2 Oct 2005 22:01:35 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3812D43D46 for ; Sun, 2 Oct 2005 22:01:34 +0000 (GMT) (envelope-from brett@lariat.org) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id QAA28860 for ; Sun, 2 Oct 2005 16:01:31 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.3.4.2.20051002153930.07a50528@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 02 Oct 2005 16:01:26 -0600 To: freebsd-security@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:01:35 -0000 Everyone: We're starting to see a rash of password guessing attacks via SSH on all of our exposed BSD servers which are running an SSH daemon. They're coming from multiple addresses, which makes us suspect that they're being carried out by a network of "bots" rather than a single attacker. But wait... there's more. The interesting thing about these attacks is that the user IDs for which passwords are being guessed aren't coming from a completely fixed list. Besides guessing at the passwords for root, toor, news, admin, test, guest, webmaster, sshd, and mysql, the bots are also trying to get into our mail exchangers via user IDs which are the actual names of users for whom the machines receive mail. In one case, we saw an attempt to use the name of a user who hadn't been on for years but whose address was published ONCE (according to Google and AltaVista) on the Net. Since the attackers are not guessing at hundreds of invalid user names, the only conclusion we can draw is that when one of the bots attacks a mail server, it quickly tries to harvest e-mail addresses from the server's domain from the Net and then tries them, in the hope that those users (a) are enabled for SSH and (b) have weak passwords. SSH is enabled by default in most BSD-ish operating systems, and this makes us a bigger target for these bots than users of OSes that don't come with SSH (not that they're not more vulnerable in other ways!). Therefore, it's strongly recommended that, where practical, everyone limit SSH logins to the minimum possible number of users via the "AllowUsers" directive. We also have a log monitor that watches the logs (/var/log/auth.log in particular) and blackholes hosts that seem to be trying to break in via SSH. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:08:53 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C741116A41F for ; Sun, 2 Oct 2005 22:08:53 +0000 (GMT) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6938443D46 for ; Sun, 2 Oct 2005 22:08:53 +0000 (GMT) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id j92M8joS016722; Sun, 2 Oct 2005 15:08:49 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <200510022208.j92M8joS016722@gw.catspoiler.org> Date: Sun, 2 Oct 2005 15:08:45 -0700 (PDT) From: Don Lewis To: brett@lariat.org In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: freebsd-security@FreeBSD.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:08:53 -0000 On 2 Oct, Brett Glass wrote: > Everyone: > > We're starting to see a rash of password guessing attacks via SSH > on all of our exposed BSD servers which are running an SSH daemon. > They're coming from multiple addresses, which makes us suspect that > they're being carried out by a network of "bots" rather than a single attacker. > > But wait... there's more. The interesting thing about these attacks > is that the user IDs for which passwords are being guessed aren't > coming from a completely fixed list. Besides guessing at the > passwords for root, toor, news, admin, test, guest, webmaster, > sshd, and mysql, the bots are also trying to get into our mail > exchangers via user IDs which are the actual names of users for > whom the machines receive mail. In one case, we saw an attempt to > use the name of a user who hadn't been on for years but whose > address was published ONCE (according to Google and AltaVista) on > the Net. Since the attackers are not guessing at hundreds of > invalid user names, the only conclusion we can draw is that when > one of the bots attacks a mail server, it quickly tries to harvest > e-mail addresses from the server's domain from the Net and then > tries them, in the hope that those users (a) are enabled for SSH > and (b) have weak passwords. > > SSH is enabled by default in most BSD-ish operating systems, and > this makes us a bigger target for these bots than users of OSes > that don't come with SSH (not that they're not more vulnerable in > other ways!). Therefore, it's strongly recommended that, where > practical, everyone limit SSH logins to the minimum possible number > of users via the "AllowUsers" directive. We also have a log monitor > that watches the logs (/var/log/auth.log in particular) and > blackholes hosts that seem to be trying to break in via SSH. It's also a good idea to only allow public key authentication from remote hosts. This avoids the risks of password guessing and password capture by shoulder surfers or key loggers. From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:32:49 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63E7516A41F for ; Sun, 2 Oct 2005 22:32:49 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6CAC43D45 for ; Sun, 2 Oct 2005 22:32:48 +0000 (GMT) (envelope-from brett@lariat.org) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id QAA29143; Sun, 2 Oct 2005 16:32:43 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.3.4.2.20051002162545.08f66558@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 02 Oct 2005 16:32:39 -0600 To: Daniel Gerzo From: Brett Glass In-Reply-To: <1048266117.20051003001242@rulez.sk> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <1048266117.20051003001242@rulez.sk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:32:49 -0000 At 04:12 PM 10/2/2005, Daniel Gerzo wrote: >very nice is to use AllowUsers in form of user@host. If you can get away with it, absolutely. Same with the RSA keys. Of course, the problem is that if you need to get access in an emergency from who-knows-where, you're pretty much stuck with passwords unless you have a token system or a one time password system (e.g. S/Key). (Which reminds me: Anyone have a good S/Key implementation for the Palm Pilot?) >> We also have a log monitor >> that watches the logs (/var/log/auth.log in particular) and >> blackholes hosts that seem to be trying to break in via SSH. > >I wrote a similar script. it's also in ports under >security/bruteforceblocker The system we're using is the general purpose log monitor I described at BSDCon in San Francisco. It's written in SNOBOL4 and has nice features like amnesty and rate limiting. --Brett From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:44:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9265B16A41F for ; Sun, 2 Oct 2005 22:44:47 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from mail.yazzy.org (mail.yazzy.org [217.8.140.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCB6F43D5A for ; Sun, 2 Oct 2005 22:44:45 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from lapdance.yazzy.net (unknown [192.168.99.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yazzy.org (Postfix) with ESMTP id 8284D39829; Mon, 3 Oct 2005 00:44:35 +0200 (CEST) Date: Sun, 2 Oct 2005 22:44:13 +0000 From: Marcin Jessa To: Brett Glass Message-Id: <20051002224413.0c39428e.lists@yazzy.org> In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost> Organization: YazzY.org X-Mailer: Sylpheed version 2.0.2 (GTK+ 2.6.10; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, flynn@energyhq.es.eu.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:44:47 -0000 On Sun, 02 Oct 2005 16:01:26 -0600 Brett Glass wrote: : Everyone: : : We're starting to see a rash of password guessing attacks via SSH : on all of our exposed BSD servers which are running an SSH daemon. : They're coming from multiple addresses, which makes us suspect that : they're being carried out by a network of "bots" rather than a single attacker. : : But wait... there's more. The interesting thing about these attacks : is that the user IDs for which passwords are being guessed aren't : coming from a completely fixed list. Besides guessing at the : passwords for root, toor, news, admin, test, guest, webmaster, : sshd, and mysql, the bots are also trying to get into our mail : exchangers via user IDs which are the actual names of users for : whom the machines receive mail. In one case, we saw an attempt to : use the name of a user who hadn't been on for years but whose : address was published ONCE (according to Google and AltaVista) on : the Net. Since the attackers are not guessing at hundreds of : invalid user names, the only conclusion we can draw is that when : one of the bots attacks a mail server, it quickly tries to harvest : e-mail addresses from the server's domain from the Net and then : tries them, in the hope that those users (a) are enabled for SSH : and (b) have weak passwords. : : SSH is enabled by default in most BSD-ish operating systems, and : this makes us a bigger target for these bots than users of OSes : that don't come with SSH (not that they're not more vulnerable in : other ways!). Therefore, it's strongly recommended that, where : practical, everyone limit SSH logins to the minimum possible number : of users via the "AllowUsers" directive. We also have a log monitor : that watches the logs (/var/log/auth.log in particular) and : blackholes hosts that seem to be trying to break in via SSH. : Great email Brett, this is ineed a true revelation we all at freebsd-security@ have been waiting for. B.T.W, did you also notice they harvest email addresses and send you useless information about products you don't need? I shit you not. One needs to be carefull since SMTP servers are avaliable by default in most BSD-ish operating systems, and this makes us a bigger target for these email bots than users of OSes that don't come with SMTP (not that they're not more vulnerable in other ways!). Cheers, Marcin. From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 23:05:19 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B578816A41F for ; Sun, 2 Oct 2005 23:05:19 +0000 (GMT) (envelope-from toasty@dragondata.com) Received: from tokyo01.jp.mail.your.org (tokyo01.jp.mail.your.org [204.9.54.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56DD143D46 for ; Sun, 2 Oct 2005 23:05:19 +0000 (GMT) (envelope-from toasty@dragondata.com) Received: from mail.dragondata.com (server3-b.your.org [64.202.113.67]) by tokyo01.jp.mail.your.org (Postfix) with ESMTP id B76782AD574E; Sun, 2 Oct 2005 23:27:13 +0000 (UTC) Received: from [69.31.99.38] (pool038.dhcp.your.org [69.31.99.38]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.dragondata.com (Postfix) with ESMTP id C55363D1853; Sun, 2 Oct 2005 18:05:16 -0500 (CDT) In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <9153DDB6-6FD4-4B14-9997-D6145F80AC3A@dragondata.com> Content-Transfer-Encoding: 7bit From: Kevin Day Date: Sun, 2 Oct 2005 18:05:16 -0500 To: Brett Glass X-Mailer: Apple Mail (2.734) Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 23:05:19 -0000 On Oct 2, 2005, at 5:01 PM, Brett Glass wrote: > Everyone: > > We're starting to see a rash of password guessing attacks via SSH > on all of our exposed BSD servers which are running an SSH daemon. > They're coming from multiple addresses, which makes us suspect that > they're being carried out by a network of "bots" rather than a > single attacker. > > But wait... there's more. The interesting thing about these attacks > is that the user IDs for which passwords are being guessed aren't > coming from a completely fixed list. Besides guessing at the > passwords for root, toor, news, admin, test, guest, webmaster, > sshd, and mysql, the bots are also trying to get into our mail > exchangers via user IDs which are the actual names of users for > whom the machines receive mail. In one case, we saw an attempt to > use the name of a user who hadn't been on for years but whose > address was published ONCE (according to Google and AltaVista) on > the Net. Since the attackers are not guessing at hundreds of > invalid user names, the only conclusion we can draw is that when > one of the bots attacks a mail server, it quickly tries to harvest > e-mail addresses from the server's domain from the Net and then > tries them, in the hope that those users (a) are enabled for SSH > and (b) have weak passwords. > > SSH is enabled by default in most BSD-ish operating systems, and > this makes us a bigger target for these bots than users of OSes > that don't come with SSH (not that they're not more vulnerable in > other ways!). Therefore, it's strongly recommended that, where > practical, everyone limit SSH logins to the minimum possible number > of users via the "AllowUsers" directive. We also have a log monitor > that watches the logs (/var/log/auth.log in particular) and > blackholes hosts that seem to be trying to break in via SSH. > > --Brett Glass This is pretty common, I'm afraid. SSH scanning with brute force password guessing has gone through the roof in the last 9-12 months, but it's been going on for years. We announce a /19 worth of space, and see several hundred ssh connects per second across it. The amount of junk port 22 traffic has exceeded the amount of junk port 25 traffic for us now. The best practice I can advise you with: Block port 22 traffic at your ingress for hosts that don't need to accept ssh connections. Turn off SSH on boxes that don't need it at all. If you only ever need to connect from a small list of hosts, block port 22 from anything but those. From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 23:16:26 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBA4916A41F for ; Sun, 2 Oct 2005 23:16:26 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 149BB43D45 for ; Sun, 2 Oct 2005 23:16:25 +0000 (GMT) (envelope-from brett@lariat.org) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id RAA29484; Sun, 2 Oct 2005 17:16:19 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.3.4.2.20051002171407.08c47eb0@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 02 Oct 2005 17:15:49 -0600 To: Marcin Jessa From: Brett Glass In-Reply-To: <20051002224413.0c39428e.lists@yazzy.org> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <20051002224413.0c39428e.lists@yazzy.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 23:16:27 -0000 At 04:44 PM 10/2/2005, Marcin Jessa wrote: >B.T.W, did you also notice they harvest email addresses and send you >useless information about products you don't need? Was the above intended to be self-referential? ;-) --Brett From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 23:29:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69F6216A41F for ; Sun, 2 Oct 2005 23:29:23 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBECF43D49 for ; Sun, 2 Oct 2005 23:29:22 +0000 (GMT) (envelope-from brett@lariat.org) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id RAA29555; Sun, 2 Oct 2005 17:29:17 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.3.4.2.20051002171946.08f98c08@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 02 Oct 2005 17:29:12 -0600 To: Kevin Day From: Brett Glass In-Reply-To: <9153DDB6-6FD4-4B14-9997-D6145F80AC3A@dragondata.com> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <9153DDB6-6FD4-4B14-9997-D6145F80AC3A@dragondata.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 23:29:23 -0000 At 05:05 PM 10/2/2005, Kevin Day wrote: >This is pretty common, I'm afraid. SSH scanning with brute force >password guessing has gone through the roof in the last 9-12 months, >but it's been going on for years. > >We announce a /19 worth of space, and see several hundred ssh >connects per second across it. The amount of junk port 22 traffic has >exceeded the amount of junk port 25 traffic for us now. For us, it just did this weekend. Major swarm of bots, mostly from the UK and eastern Europe. I can't imagine we're alone. The sudden increase -- and the tactic of harvesting e-mail addresses and trying to match them to accounts -- were the reasons I decided to post. People are going to want to make their security a bit tighter. Spam, worms, bots.... This Internet thang is sure becoming a cesspool. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 00:03:11 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6A2116A41F for ; Mon, 3 Oct 2005 00:03:10 +0000 (GMT) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BE4443D46 for ; Mon, 3 Oct 2005 00:03:10 +0000 (GMT) (envelope-from mike@sentex.net) Received: from pumice6.sentex.ca (pumice6.sentex.ca [64.7.153.21]) by smarthost1.sentex.ca (8.13.3/8.13.3) with ESMTP id j930397H054460 for ; Sun, 2 Oct 2005 20:03:09 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by pumice6.sentex.ca (8.13.3/8.13.3) with ESMTP id j93038lX090501 for ; Sun, 2 Oct 2005 20:03:09 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id j930374D054766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 2 Oct 2005 20:03:07 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.3.4.0.20051002181843.07cc9c10@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 02 Oct 2005 20:03:09 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200510022208.j92M8joS016722@gw.catspoiler.org> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <200510022208.j92M8joS016722@gw.catspoiler.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Scanned-By: MIMEDefang 2.51 on 64.7.153.18 X-Scanned-By: MIMEDefang 2.53 on 64.7.153.21 Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 00:03:11 -0000 At 06:08 PM 02/10/2005, Don Lewis wrote: > > practical, everyone limit SSH logins to the minimum possible number > > of users via the "AllowUsers" directive. We also have a log monitor > > that watches the logs (/var/log/auth.log in particular) and > > blackholes hosts that seem to be trying to break in via SSH. > >It's also a good idea to only allow public key authentication from >remote hosts. This avoids the risks of password guessing and password >capture by shoulder surfers or key loggers. Couple of other things to add, deny all access via hosts.allow and only let in those who are supposed to come in launch sshd from inetd and then use the rate limiting feature of inetd (e.g. -C 10) to reject hosts with more than 10 connections attempts from a single IP per minute Move to a different port than the default 22 to avoid scanners use "port knocking" to dynamically allow a remote host to see port 22 (/usr/ports/security/doorman) Also saw someone post on the openbsd list to use pf to rate limit (http://groups.google.ca/group/lucky.openbsd.misc/tree/browse_frm/thread/86320212088ec09/42313fa39522f2b7?rnum=1&hl=en&q=openbsd+ssh+crackers+pf+table+ssh&_done=%2Fgroup%2Flucky.openbsd.misc%2Fbrowse_frm%2Fthread%2F86320212088ec09%2F605665a2b79f493b%3Flnk%3Dst%26q%3Dopenbsd+ssh+crackers+pf+table+ssh%26rnum%3D1%26hl%3Den%26#doc_605665a2b79f493b) -------- table persist file "/etc/tables/crackers" block in quick from pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA modulate state \ (max-src-conn 5, max-src-conn-rate 4/60, overload flush global) crontab: 0 * * * * pfctl -t crackers -Tsh > /etc/tables/crackers -------------- ---Mike From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 00:48:01 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CFAA16A41F; Mon, 3 Oct 2005 00:48:01 +0000 (GMT) (envelope-from lists@subhi.com) Received: from chi-2.us.vhost.org (chi-2.us.vhost.org [198.63.211.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC30143D45; Mon, 3 Oct 2005 00:48:00 +0000 (GMT) (envelope-from lists@subhi.com) Received: from [82.111.95.135] (helo=CAESAR) by chi-2.us.vhost.org with esmtp (Exim 4.53 (FreeBSD)) id 1EMEUl-0006lM-6K; Mon, 03 Oct 2005 01:47:55 +0100 Date: Mon, 3 Oct 2005 01:47:54 +0100 From: Subhi S Hashwa X-Mailer: The Bat! (v3.60.07) Professional X-Priority: 3 (Normal) Message-ID: <1323455932.20051003014754@subhi.com> To: Don Lewis In-Reply-To: <200510022208.j92M8joS016722@gw.catspoiler.org> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <200510022208.j92M8joS016722@gw.catspoiler.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) Cc: freebsd-security@FreeBSD.org Subject: Re[2]: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Subhi S Hashwa List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 00:48:01 -0000 Sunday, October 2, 2005, 11:08:45 PM, Don Lewis wrote: > It's also a good idea to only allow public key authentication from > remote hosts. This avoids the risks of password guessing and password > capture by shoulder surfers or key loggers. I came across this package in ports, which could be useful in this type of situation /usr/ports/security/bruteforceblocker BruteForceBlocker is a script, that works along with pf - OpenBSD's firewall. When this script is running, it checks sshd's auth log for Failed Password attempts and counts it's number. When given IP reaches specified number of fails, script adds this IP to the pf's table and block any other traffic to the given box. If you are bored of those automated auth tries, you will be happy with this script. WWW: http://danger.rulez.sk/projects/bruteforceblocker/ -- Best regards, Subhi S Hashwa mailto:lists@subhi.com When everything is heading your way, you're in the wrong lane. From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 04:00:07 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A37316A41F for ; Mon, 3 Oct 2005 04:00:07 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id A44C743D45 for ; Mon, 3 Oct 2005 04:00:06 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from [192.168.1.200] (tim.open-networks.net [192.168.1.1]) by titan.open-networks.net (Postfix) with ESMTP id 340282F2 for ; Mon, 3 Oct 2005 14:00:02 +1000 (EST) Message-ID: <4340ACC1.1000306@open-networks.net> Date: Mon, 03 Oct 2005 14:00:01 +1000 From: Timothy Smith User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051002) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <6.2.3.4.2.20051002153930.07a50528@localhost> <9153DDB6-6FD4-4B14-9997-D6145F80AC3A@dragondata.com> <6.2.3.4.2.20051002171946.08f98c08@localhost> In-Reply-To: <6.2.3.4.2.20051002171946.08f98c08@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 04:00:07 -0000 Brett Glass wrote: >At 05:05 PM 10/2/2005, Kevin Day wrote: > > > >>This is pretty common, I'm afraid. SSH scanning with brute force >>password guessing has gone through the roof in the last 9-12 months, >>but it's been going on for years. >> >>We announce a /19 worth of space, and see several hundred ssh >>connects per second across it. The amount of junk port 22 traffic has >>exceeded the amount of junk port 25 traffic for us now. >> >> > >For us, it just did this weekend. Major swarm of bots, mostly from >the UK and eastern Europe. I can't imagine we're alone. > >The sudden increase -- and the tactic of harvesting e-mail addresses and >trying to match them to accounts -- were the reasons I decided to post. >People are going to want to make their security a bit tighter. > >Spam, worms, bots.... This Internet thang is sure becoming a cesspool. > >--Brett > > > just a reflection of society i think. personally i don't need ssh anymore so i have turned it off. if i was to enable it again i'd use a strong passphrase and a public key + rate limit login attempts and ban ip's that exceed an acceptable number of retires. i wonder if there isn't an opertunity to create some kind of honey pot project given the growing frequencies of these ssh based attacks. allow logins then dragggggg out the connection as long as you can. i still have a copy of everything they used to attack my system (it was left in /tmp and they were trying to get my system to scan as well) From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 04:48:31 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C013B16A41F for ; Mon, 3 Oct 2005 04:48:31 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (66-215-204-113.dhcp.rvsd.ca.charter.com [66.215.204.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74B2143D48 for ; Mon, 3 Oct 2005 04:48:31 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.fake.net (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.12.11/8.12.11) with ESMTP id j934mUvK099748; Sun, 2 Oct 2005 21:48:30 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.fake.net (8.12.11/8.12.6/Submit) with ESMTP id j934mUUL099745; Sun, 2 Oct 2005 21:48:30 -0700 (PDT) X-Authentication-Warning: home.fake.net: bigby owned process doing -bs Date: Sun, 2 Oct 2005 21:48:29 -0700 (PDT) From: Bigby Findrake X-X-Sender: bigby@home.fake.net To: Timothy Smith In-Reply-To: <4340ACC1.1000306@open-networks.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 04:48:31 -0000 Have a look at labrea. http://labrea.sourceforge.net/ On Mon, 3 Oct 2005, Timothy Smith wrote: > i wonder if there isn't an opertunity to create some kind of honey pot > project given the growing frequencies of these ssh based attacks. > > allow logins then dragggggg out the connection as long as you can. i > still have a copy of everything they used to attack my system (it was > left in /tmp and they were trying to get my system to scan as well) /-------------------------------------------------------------------------/ "I dislike companies that have a we-are-the-high-priests-of-hardware-so-you'll- like-what-we-give-you attitude. I like commodity markets in which iron-and- silicon hawkers know that they exist to provide fast toys for software types like me to play with..." -- Eric S. Raymond finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 05:47:16 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FD0716A41F for ; Mon, 3 Oct 2005 05:47:16 +0000 (GMT) (envelope-from jrhall@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id B40B543D46 for ; Mon, 3 Oct 2005 05:47:15 +0000 (GMT) (envelope-from jrhall@gmail.com) Received: by qproxy.gmail.com with SMTP id e12so364516qba for ; Sun, 02 Oct 2005 22:47:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=h4HfE8vOGbZEibaNdAjdWFIpFxa6tgBr68/BEV/ubvWd7d31H7b/IGQt2RDr+rwwOJg1WZdFKJrnsbDy0EXspeGepfwhqTkS+MGeSTIjWmtMOBimpL0nIlX3wHNUHWPxleZuWZXPg65xullrP9uwBEGIuiUd/hoF1h+hQICS2C4= Received: by 10.64.184.11 with SMTP id h11mr2347477qbf; Sun, 02 Oct 2005 22:40:01 -0700 (PDT) Received: by 10.64.233.20 with HTTP; Sun, 2 Oct 2005 22:40:01 -0700 (PDT) Message-ID: <547e6a320510022240p76ae276fp94ee8ab598795a22@mail.gmail.com> Date: Sun, 2 Oct 2005 22:40:01 -0700 From: Jared Hall To: freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4340ACC1.1000306@open-networks.net> Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jared Hall List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 05:47:16 -0000 Is there a way to block root login over 22? Jared From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 05:56:04 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCC4E16A420 for ; Mon, 3 Oct 2005 05:56:04 +0000 (GMT) (envelope-from mario@schmut.com) Received: from mail.schmut.com (dsl092-049-002.sfo4.dsl.speakeasy.net [66.92.49.2]) by mx1.FreeBSD.org (Postfix) with SMTP id 3A13F43D49 for ; Mon, 3 Oct 2005 05:56:03 +0000 (GMT) (envelope-from mario@schmut.com) Received: (qmail 51317 invoked by uid 89); 3 Oct 2005 05:56:03 -0000 Received: from schmut.com (snoopy.schmut.com [192.168.23.1]) by snoopy.schmut.com (tmda-ofmipd) with ESMTP; Sun, 02 Oct 2005 22:55:59 -0700 (PDT) Received: from 192.168.23.8 (SquirrelMail authenticated user mario@schmut.com) by mail.schmut.com with HTTP; Sun, 2 Oct 2005 22:56:00 -0700 (PDT) Message-ID: <52149.192.168.23.8.1128318960.squirrel@mail.schmut.com> Date: Sun, 2 Oct 2005 22:56:00 -0700 (PDT) To: In-Reply-To: <547e6a320510022240p76ae276fp94ee8ab598795a22@mail.gmail.com> References: <4340ACC1.1000306@open-networks.net> <547e6a320510022240p76ae276fp94ee8ab598795a22@mail.gmail.com> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: mario X-Primary-Address: mario@schmut.com Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mario List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 05:56:04 -0000 yep [root@snoopy ~]#grep Root /etc/ssh/sshd_config PermitRootLogin no mario;> So, Jared Hall wrote: > Is there a way to block root login over 22? > Jared > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 05:56:20 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AA6916A41F for ; Mon, 3 Oct 2005 05:56:20 +0000 (GMT) (envelope-from devin@spamcop.net) Received: from mail.distalzou.net (203.141.139.231.user.ad.il24.net [203.141.139.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14C8243D48 for ; Mon, 3 Oct 2005 05:56:19 +0000 (GMT) (envelope-from devin@spamcop.net) Received: from plexi.pun-pun.prv ([192.168.7.29] helo=plexi) by mail.distalzou.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.53 (FreeBSD)) id 1EMJJB-00078q-TG; Mon, 03 Oct 2005 14:56:17 +0900 Date: Mon, 3 Oct 2005 14:56:17 +0900 (JST) From: Tod McQuillin X-X-Sender: devin@plexi.pun-pun.prv To: Brett Glass In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> Message-ID: <20051003145046.A30969@plexi.pun-pun.prv> References: <6.2.3.4.2.20051002153930.07a50528@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 05:56:20 -0000 On Sun, 2 Oct 2005, Brett Glass wrote: > But wait... there's more. The interesting thing about these attacks is > that the user IDs for which passwords are being guessed aren't coming > from a completely fixed list. Besides guessing at the passwords for > root, toor, news, admin, test, guest, webmaster, sshd, and mysql, the > bots are also trying to get into our mail exchangers via user IDs which > are the actual names of users for whom the machines receive mail. I had a similar fear myself, but when I took a closer look, I realised it was not actually the case that the attackers had specific knowledge of the users on my server. What happens is that there are two kinds of messages from ssh in /var/log/auth.log. When an attacker tries a nonexistent user, you get Oct 2 13:00:03 plexi sshd[79194]: Illegal user bob from 83.142.49.11 When an attacker tries an existing user, you get Oct 2 13:01:47 plexi sshd[79286]: Failed password for www from 83.142.49.11 port 42480 ssh2 In my case, attackers are trying a big list of usernames, and I get both kinds of messages in my auth.log. However, in the daily security mail to root, only the "Failed password" messages are included, so if that's all you see you get the impression that attackers are specifically targetting your users. At least, that is what I thought at first. But when I took a closer look at auth.log, it became clear that that's not what was really happening. Maybe this is the case for Brett as well. -- Tod McQuillin From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 11:00:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73A8E16A41F for ; Mon, 3 Oct 2005 11:00:37 +0000 (GMT) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05BAC43D4C for ; Mon, 3 Oct 2005 11:00:36 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id D9206484419 for ; Mon, 3 Oct 2005 13:00:34 +0200 (CEST) Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 09115-19 for ; Mon, 3 Oct 2005 13:00:33 +0200 (CEST) Received: from [10.0.0.3] (i53878FA0.versanet.de [83.135.143.160]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id 9CCD2484418 for ; Mon, 3 Oct 2005 13:00:33 +0200 (CEST) Message-ID: <43410F51.5010607@rinux.net> Date: Mon, 03 Oct 2005 13:00:33 +0200 From: Clemens Renner User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <6.2.3.4.2.20051002153930.07a50528@localhost> <20051003145046.A30969@plexi.pun-pun.prv> In-Reply-To: <20051003145046.A30969@plexi.pun-pun.prv> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new/F-Prot at rinux.net Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 11:00:37 -0000 Tod McQuillin wrote: > What happens is that there are two kinds of messages from ssh in > /var/log/auth.log. When an attacker tries a nonexistent user, you get > > Oct 2 13:00:03 plexi sshd[79194]: Illegal user bob from 83.142.49.11 > > When an attacker tries an existing user, you get > > Oct 2 13:01:47 plexi sshd[79286]: Failed password for www from > 83.142.49.11 port 42480 ssh2 I happen to see different entries in my daily security run output: Failed password for illegal user qscand from 217.20.119.212 port 50657 ssh2 So I guess I am noticed about both kinds of attacks. By the way, does anyone of you see a threat in disclosing this kind of log output to the network abuse departments of the corresponding hosters? Often, I encounter intrusion attempts from rented servers where there is an authority above the abuser able to step in. And --on an unrelated matter-- funny to see that we even have trolls here. :) Cheers Clemens From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:12:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B157D16A41F for ; Sun, 2 Oct 2005 22:12:48 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CEE543D45 for ; Sun, 2 Oct 2005 22:12:47 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 969201CC6F; Mon, 3 Oct 2005 00:12:46 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id 560F51CC6B; Mon, 3 Oct 2005 00:12:43 +0200 (CEST) Date: Mon, 3 Oct 2005 00:12:42 +0200 From: Daniel Gerzo X-Mailer: The Bat! (v3.5) UNREG / CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <1048266117.20051003001242@rulez.sk> To: Brett Glass In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, score=-3.885 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.514, BAYES_00=-2.599] X-Spam-Score: -3.885 X-Spam-Level: X-Mailman-Approved-At: Mon, 03 Oct 2005 11:48:46 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:12:48 -0000 Hello Brett, Monday, October 3, 2005, 12:01:26 AM, you wrote: > Everyone: > We're starting to see a rash of password guessing attacks via SSH > on all of our exposed BSD servers which are running an SSH daemon. > They're coming from multiple addresses, which makes us suspect that > they're being carried out by a network of "bots" rather than a single attacker. > But wait... there's more. The interesting thing about these attacks > is that the user IDs for which passwords are being guessed aren't > coming from a completely fixed list. Besides guessing at the > passwords for root, toor, news, admin, test, guest, webmaster, > sshd, and mysql, the bots are also trying to get into our mail > exchangers via user IDs which are the actual names of users for > whom the machines receive mail. In one case, we saw an attempt to > use the name of a user who hadn't been on for years but whose > address was published ONCE (according to Google and AltaVista) on > the Net. Since the attackers are not guessing at hundreds of > invalid user names, the only conclusion we can draw is that when > one of the bots attacks a mail server, it quickly tries to harvest > e-mail addresses from the server's domain from the Net and then > tries them, in the hope that those users (a) are enabled for SSH > and (b) have weak passwords. > SSH is enabled by default in most BSD-ish operating systems, and > this makes us a bigger target for these bots than users of OSes > that don't come with SSH (not that they're not more vulnerable in > other ways!). Therefore, it's strongly recommended that, where > practical, everyone limit SSH logins to the minimum possible number > of users via the "AllowUsers" directive. very nice is to use AllowUsers in form of user@host. > We also have a log monitor > that watches the logs (/var/log/auth.log in particular) and > blackholes hosts that seem to be trying to break in via SSH. I wrote a similar script. it's also in ports under security/bruteforceblocker > --Brett Glass -- Sincerely, Daniel Gerzo From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 13:47:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DEDD16A420 for ; Mon, 3 Oct 2005 13:47:14 +0000 (GMT) (envelope-from randy@psg.com) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id C572143D48 for ; Mon, 3 Oct 2005 13:47:13 +0000 (GMT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=roam.psg.com) by rip.psg.com with esmtp (Exim 4.52 (FreeBSD)) id 1EMQeu-0003vy-N6; Mon, 03 Oct 2005 13:47:12 +0000 Received: from localhost ([127.0.0.1] helo=roam.psg.com) by roam.psg.com with esmtp (Exim 4.52 (FreeBSD)) id 1EMQep-0000SC-HW; Mon, 03 Oct 2005 03:47:07 -1000 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17217.13914.937728.18963@roam.psg.com> Date: Mon, 3 Oct 2005 06:47:06 -0700 To: mario References: <4340ACC1.1000306@open-networks.net> <547e6a320510022240p76ae276fp94ee8ab598795a22@mail.gmail.com> <52149.192.168.23.8.1128318960.squirrel@mail.schmut.com> Cc: freebsd-security@freebsd.org, jrhall@gmail.com Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 13:47:14 -0000 > PermitRootLogin no i like PermitRootLogin without-password randy From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 13:49:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E30FC16A41F for ; Mon, 3 Oct 2005 13:49:47 +0000 (GMT) (envelope-from randy@psg.com) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A3BC43D46 for ; Mon, 3 Oct 2005 13:49:44 +0000 (GMT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=roam.psg.com) by rip.psg.com with esmtp (Exim 4.52 (FreeBSD)) id 1EMQhL-0003zY-CK; Mon, 03 Oct 2005 13:49:43 +0000 Received: from localhost ([127.0.0.1] helo=roam.psg.com) by roam.psg.com with esmtp (Exim 4.52 (FreeBSD)) id 1EMQhF-0000SH-Qa; Mon, 03 Oct 2005 03:49:37 -1000 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17217.14065.212429.584572@roam.psg.com> Date: Mon, 3 Oct 2005 06:49:37 -0700 To: Brett Glass References: <6.2.3.4.2.20051002153930.07a50528@localhost> <1048266117.20051003001242@rulez.sk> <6.2.3.4.2.20051002162545.08f66558@localhost> Cc: freebsd-security@freebsd.org, Daniel Gerzo Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 13:49:48 -0000 > Of course, the problem is that if you need to get access in an > emergency from who-knows-where, you're pretty much stuck with > passwords unless you have a token system or a one time password > system (e.g. S/Key). (Which reminds me: Anyone have a good S/Key > implementation for the Palm Pilot?) sshv2 with keys for palm at . works great on my treo 650. if at all possible, just don't allow passwords the ssh root and dict attacks have been going on for long over a year. some days we see more than 25,000 per target host, occasionally 100,000. it's so common that i started to grep it out of log reports ages ago. randy From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 13:51:07 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4705616A41F for ; Mon, 3 Oct 2005 13:51:07 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E2E943D5A for ; Mon, 3 Oct 2005 13:51:00 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: by xproxy.gmail.com with SMTP id t5so192930wxc for ; Mon, 03 Oct 2005 06:51:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Gwd0yaxCvqCPamk6N7e0IdSUd8mGKe9aDGXw/2KtMaNAFiqby8e+59VZlDPgmlNaHX7xFb3zJRC8KHWD71eaLZLOWy45c1BSpJixTZJGAJ2m0y8lS2PgGDqZwA0Vzl0FmJdisE7njFonPVu1DDsM/rONHwTeNB9SxB1sd6HkGhU= Received: by 10.70.62.18 with SMTP id k18mr61671wxa; Mon, 03 Oct 2005 06:51:00 -0700 (PDT) Received: by 10.70.67.15 with HTTP; Mon, 3 Oct 2005 06:51:00 -0700 (PDT) Message-ID: <54db43990510030651x58eaa863ma46e0e37df175c29@mail.gmail.com> Date: Mon, 3 Oct 2005 09:51:00 -0400 From: Bob Johnson To: mario In-Reply-To: <52149.192.168.23.8.1128318960.squirrel@mail.schmut.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4340ACC1.1000306@open-networks.net> <547e6a320510022240p76ae276fp94ee8ab598795a22@mail.gmail.com> <52149.192.168.23.8.1128318960.squirrel@mail.schmut.com> Cc: freebsd-security@freebsd.org, jrhall@gmail.com Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bob Johnson List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 13:51:07 -0000 On 10/3/05, mario wrote: > So, Jared Hall wrote: > > Is there a way to block root login over 22? > > Jared > > ______________________ > > yep > > [root@snoopy ~]#grep Root /etc/ssh/sshd_config > PermitRootLogin no This is not sufficient if ssh is using PAM for authentication (because PAM will allow root logins). Make sure you also have disabled PAM authentication with ChallengeResponseAuthentication no I think both of these settings default to "no" these days, but you might want to check your config to be sure. - Bob From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 14:27:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C744A16A41F for ; Mon, 3 Oct 2005 14:27:09 +0000 (GMT) (envelope-from fernan@iib.unsam.edu.ar) Received: from smtp.unsam.edu.ar (smtp.unsam.edu.ar [170.210.48.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id B301F43D46 for ; Mon, 3 Oct 2005 14:27:00 +0000 (GMT) (envelope-from fernan@iib.unsam.edu.ar) Received: from pi.iib.unsam.edu.ar (pi.iib.unsam.edu.ar [192.168.10.11]) by smtp.unsam.edu.ar (8.12.6/8.12.6) with ESMTP id j93EQXpG013187; Mon, 3 Oct 2005 11:26:34 -0300 (ART) (envelope-from fernan@iib.unsam.edu.ar) Received: from pi.iib.unsam.edu.ar (localhost [127.0.0.1]) by pi.iib.unsam.edu.ar (8.13.1/8.13.1) with ESMTP id j93EOKMq044570; Mon, 3 Oct 2005 11:24:20 -0300 (ART) (envelope-from fernan@iib.unsam.edu.ar) Received: (from fernan@localhost) by pi.iib.unsam.edu.ar (8.13.1/8.13.1/Submit) id j93EOKVo044569; Mon, 3 Oct 2005 11:24:20 -0300 (ART) (envelope-from fernan@iib.unsam.edu.ar) X-Authentication-Warning: pi.iib.unsam.edu.ar: fernan set sender to fernan@iib.unsam.edu.ar using -f Date: Mon, 3 Oct 2005 11:24:20 -0300 From: Fernan Aguero To: Randy Bush Message-ID: <20051003142420.GJ61107@iib.unsam.edu.ar> Mail-Followup-To: Randy Bush , Brett Glass , freebsd-security@freebsd.org, Daniel Gerzo References: <6.2.3.4.2.20051002153930.07a50528@localhost> <1048266117.20051003001242@rulez.sk> <6.2.3.4.2.20051002162545.08f66558@localhost> <17217.14065.212429.584572@roam.psg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17217.14065.212429.584572@roam.psg.com> User-Agent: Mutt/1.5.9i Cc: freebsd-security@freebsd.org, Daniel Gerzo Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 14:27:09 -0000 +----[ Randy Bush (03.Oct.2005 10:51): | | > Of course, the problem is that if you need to get access in an | > emergency from who-knows-where, you're pretty much stuck with | > passwords unless you have a token system or a one time password | > system (e.g. S/Key). (Which reminds me: Anyone have a good S/Key | > implementation for the Palm Pilot?) | | sshv2 with keys for palm at . | works great on my treo 650. | +----] pilOTP: http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/ Fernan From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 14:38:21 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8607816A41F for ; Mon, 3 Oct 2005 14:38:21 +0000 (GMT) (envelope-from dgilbert@daveg.ca) Received: from ox.eicat.ca (ox.eicat.ca [66.96.30.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AB1643D4C for ; Mon, 3 Oct 2005 14:38:21 +0000 (GMT) (envelope-from dgilbert@daveg.ca) Received: by ox.eicat.ca (Postfix, from userid 66) id 2BF55EE9A; Mon, 3 Oct 2005 10:38:17 -0400 (EDT) Received: by canoe.dclg.ca (Postfix, from userid 101) id 6ECC81A08D0; Mon, 3 Oct 2005 10:38:13 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17217.16981.318702.635329@canoe.dclg.ca> Date: Mon, 3 Oct 2005 10:38:13 -0400 To: Brett Glass In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid X-Mailman-Approved-At: Tue, 04 Oct 2005 11:41:58 +0000 Cc: freebsd-security@freebsd.org Subject: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 14:38:21 -0000 >>>>> "Brett" == Brett Glass writes: Brett> Everyone: We're starting to see a rash of password guessing Brett> attacks via SSH on all of our exposed BSD servers which are Brett> running an SSH daemon. They're coming from multiple addresses, Brett> which makes us suspect that they're being carried out by a Brett> network of "bots" rather than a single attacker. [...] Brett> SSH is enabled by default in most BSD-ish operating systems, Brett> and this makes us a bigger target for these bots than users of Brett> OSes that don't come with SSH (not that they're not more Brett> vulnerable in other ways!). Therefore, it's strongly Brett> recommended that, where practical, everyone limit SSH logins to Brett> the minimum possible number of users via the "AllowUsers" Brett> directive. We also have a log monitor that watches the logs Brett> (/var/log/auth.log in particular) and blackholes hosts that Brett> seem to be trying to break in via SSH. I have another angle. I run the following script on many of my machines: #!/bin/bash # Copyright (c) 2005 DaveG.ca # You may use this code under the GPL, version 2 or newer. # firewall excessive ssh attempts PATH=/bin:/sbin:/usr/bin:/usr/sbin cat /var/log/auth.log | grep "Illegal user" | rev | cut -d\ -f 1 | rev | sort | uniq -c | \ ( while read num ip; do if [ $num -gt 9 ]; then if ! ipfw show | grep -q $ip ; then echo adding $ip for $num violations logger -p auth.warn blocking $ip for $num violations ipfw table 1 add $ip fi fi done ) Now... the line 'ipfw ...' can be replace with other firewall statements or it can be a route add -blackhole. The trick here is that it is unusual for legal users to make many tries at an ssh with a completely wrong username. Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 16:48:30 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89B2A16A41F for ; Mon, 3 Oct 2005 16:48:30 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D59943D48 for ; Mon, 3 Oct 2005 16:48:29 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (localhost.csail.mit.edu [127.0.0.1]) by khavrinen.csail.mit.edu (8.13.1/8.13.1) with ESMTP id j93GmQJW046381 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.csail.mit.edu issuer=Client+20CA); Mon, 3 Oct 2005 12:48:28 -0400 (EDT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: (from wollman@localhost) by khavrinen.csail.mit.edu (8.13.1/8.13.1/Submit) id j93GmL2d046378; Mon, 3 Oct 2005 12:48:21 -0400 (EDT) (envelope-from wollman) From: Garrett Wollman MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17217.24789.489670.458355@khavrinen.csail.mit.edu> Date: Mon, 3 Oct 2005 12:48:21 -0400 To: Clemens Renner In-Reply-To: <43410F51.5010607@rinux.net> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <20051003145046.A30969@plexi.pun-pun.prv> <43410F51.5010607@rinux.net> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-1.6 (khavrinen.csail.mit.edu [127.0.0.1]); Mon, 03 Oct 2005 12:48:28 -0400 (EDT) X-Spam-Status: No, score=0.0 required=5.0 tests=none version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on khavrinen.csail.mit.edu X-Mailman-Approved-At: Tue, 04 Oct 2005 11:41:58 +0000 Cc: freebsd-security@FreeBSD.ORG Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 16:48:30 -0000 < said: > Failed password for illegal user qscand from 217.20.119.212 port 50657 ssh2 I modified my version of /etc/periodic/security/800.loginfail to filter out all the "illegal user" messages from sshd; otherwise I would be getting about 24,000 lines of crap a night in my security report (3,000 attempts per host times eight hosts). Since all of the machines I care about have very limited access, I don't lose anything by not overwhelming my security mail with unimportant failures. I also aggressively use AllowUsers/AllowGroups in sshd_config to limit exposure even more. (That way, I don't have to see all the failures for "www" and "pgsql" as well.) -GAWollman From owner-freebsd-security@FreeBSD.ORG Wed Oct 5 16:27:15 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5B1B16A41F for ; Wed, 5 Oct 2005 16:27:15 +0000 (GMT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3669243D48 for ; Wed, 5 Oct 2005 16:27:15 +0000 (GMT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.13.4/8.13.4) with ESMTP id j95GR5Ei053518; Wed, 5 Oct 2005 09:27:05 -0700 (PDT) Received: (from dillon@localhost) by apollo.backplane.com (8.13.4/8.13.4/Submit) id j95GQuVa053513; Wed, 5 Oct 2005 09:26:56 -0700 (PDT) Date: Wed, 5 Oct 2005 09:26:56 -0700 (PDT) From: Matthew Dillon Message-Id: <200510051626.j95GQuVa053513@apollo.backplane.com> To: Garrett Wollman References: <6.2.3.4.2.20051002153930.07a50528@localhost> <20051003145046.A30969@plexi.pun-pun.prv> <43410F51.5010607@rinux.net> <17217.24789.489670.458355@khavrinen.csail.mit.edu> Cc: Clemens Renner , freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 16:27:15 -0000 It annoys me to no end so this is what I do: /etc/syslog.conf: auth.info;authpriv.info |exec /root/adm/sshlockout And then I wrote a little program to add a rule to the firewall (you want to modify it to add after any of your optimized flow-through rules because long chains can occur). I clean out the rule (2100 in my case) about once a week so the list doesn't get too big. Of course, if you have a lot of users they might trip over this occassionaly themselves, it's designed for administrative machines and servers, not general shell boxes. YMMV. Most of the attacks appear to come from compromised windows boxes... probably the same BOT networks that spammers use to send spam. -Matt /* * Use: pipe syslog auth output to this program. * * Detects failed ssh login attempts and maps out the originating IP. */ #include #include #include #include #include #include int main(int ac, char **av) { char buf[1024]; char *str; int n1; int n2; int n3; int n4; openlog("sshlockout", LOG_PID|LOG_CONS, LOG_AUTH); syslog(LOG_ERR, "sshlockout starting up"); freopen("/dev/null", "w", stdout); freopen("/dev/null", "w", stderr); while (fgets(buf, sizeof(buf), stdin) != NULL) { if (strstr(buf, "sshd") == NULL) continue; if (strstr(buf, "Failed password") == NULL) continue; if ((str = strstr(buf, "Failed password for root from")) != NULL || (str = strstr(buf, "Failed password for admin from")) != NULL ) { while (*str && (*str < '0' || *str > '9')) ++str; if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) { syslog(LOG_ERR, "Detected ssh password login attempt for root, locking out %d.%d.%d.%d\n", n1, n2, n3, n4); snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4); system(buf); } continue; } if ((str = strstr(buf, "Failed password for invalid user")) != NULL) { str += 32; while (*str == ' ') ++str; while (*str && *str != ' ') ++str; if (strncmp(str, " from", 5) == 0 && sscanf(str + 5, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) { syslog(LOG_ERR, "Detected ssh password login attempt for an invalid user, locking out %d.%d.%d.%d\n", n1, n2, n3, n4); snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4); system(buf); } } } syslog(LOG_ERR, "sshlockout exiting"); return(0); } From owner-freebsd-security@FreeBSD.ORG Wed Oct 5 23:55:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D181D16A41F for ; Wed, 5 Oct 2005 23:55:48 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4713643D45 for ; Wed, 5 Oct 2005 23:55:47 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id j95NtTio049185; Thu, 6 Oct 2005 09:55:29 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id j95NtjVo084768; Thu, 6 Oct 2005 09:55:45 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200510052355.j95NtjVo084768@app.auscert.org.au> To: freebsd-security@freebsd.org from: freebsd-security@auscert.org.au In-Reply-To: Your message of "Sun, 02 Oct 2005 16:32:39 CST." <6.2.3.4.2.20051002162545.08f66558@localhost> Date: Thu, 06 Oct 2005 09:55:45 +1000 Cc: Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 23:55:48 -0000 > system (e.g. S/Key). (Which reminds me: Anyone have a good S/Key > implementation for the Palm Pilot?) Brett, on this note another tack you could take is to symmetrically encrypt your list with GPG/PGP, being wary of where you choose to decrypt it. This kind of thing, using gpg (where the path could be a removable device or floppy): opiekey -n 5 0499 xx9909 | sort -rn | ( sleep 10 ; gpg -ca -o /trusted/path ) ... adding your preferred --cipher-algo option as required, then as needed run: gpg -o - /trusted/path | grep #seq_no cheers, -- Joel Hatton -- Security Analyst | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au