From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:01:35 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B313616A41F for ; Sun, 2 Oct 2005 22:01:35 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3812D43D46 for ; Sun, 2 Oct 2005 22:01:34 +0000 (GMT) (envelope-from brett@lariat.org) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id QAA28860 for ; Sun, 2 Oct 2005 16:01:31 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.3.4.2.20051002153930.07a50528@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Sun, 02 Oct 2005 16:01:26 -0600 To: freebsd-security@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:01:35 -0000 Everyone: We're starting to see a rash of password guessing attacks via SSH on all of our exposed BSD servers which are running an SSH daemon. They're coming from multiple addresses, which makes us suspect that they're being carried out by a network of "bots" rather than a single attacker. But wait... there's more. The interesting thing about these attacks is that the user IDs for which passwords are being guessed aren't coming from a completely fixed list. Besides guessing at the passwords for root, toor, news, admin, test, guest, webmaster, sshd, and mysql, the bots are also trying to get into our mail exchangers via user IDs which are the actual names of users for whom the machines receive mail. In one case, we saw an attempt to use the name of a user who hadn't been on for years but whose address was published ONCE (according to Google and AltaVista) on the Net. Since the attackers are not guessing at hundreds of invalid user names, the only conclusion we can draw is that when one of the bots attacks a mail server, it quickly tries to harvest e-mail addresses from the server's domain from the Net and then tries them, in the hope that those users (a) are enabled for SSH and (b) have weak passwords. SSH is enabled by default in most BSD-ish operating systems, and this makes us a bigger target for these bots than users of OSes that don't come with SSH (not that they're not more vulnerable in other ways!). Therefore, it's strongly recommended that, where practical, everyone limit SSH logins to the minimum possible number of users via the "AllowUsers" directive. We also have a log monitor that watches the logs (/var/log/auth.log in particular) and blackholes hosts that seem to be trying to break in via SSH. --Brett Glass