Date: Sun, 2 Oct 2005 22:44:13 +0000 From: Marcin Jessa <lists@yazzy.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org, flynn@energyhq.es.eu.org Subject: Re: Repeated attacks via SSH Message-ID: <20051002224413.0c39428e.lists@yazzy.org> In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost>
index | next in thread | previous in thread | raw e-mail
On Sun, 02 Oct 2005 16:01:26 -0600 Brett Glass <brett@lariat.org> wrote: : Everyone: : : We're starting to see a rash of password guessing attacks via SSH : on all of our exposed BSD servers which are running an SSH daemon. : They're coming from multiple addresses, which makes us suspect that : they're being carried out by a network of "bots" rather than a single attacker. : : But wait... there's more. The interesting thing about these attacks : is that the user IDs for which passwords are being guessed aren't : coming from a completely fixed list. Besides guessing at the : passwords for root, toor, news, admin, test, guest, webmaster, : sshd, and mysql, the bots are also trying to get into our mail : exchangers via user IDs which are the actual names of users for : whom the machines receive mail. In one case, we saw an attempt to : use the name of a user who hadn't been on for years but whose : address was published ONCE (according to Google and AltaVista) on : the Net. Since the attackers are not guessing at hundreds of : invalid user names, the only conclusion we can draw is that when : one of the bots attacks a mail server, it quickly tries to harvest : e-mail addresses from the server's domain from the Net and then : tries them, in the hope that those users (a) are enabled for SSH : and (b) have weak passwords. : : SSH is enabled by default in most BSD-ish operating systems, and : this makes us a bigger target for these bots than users of OSes : that don't come with SSH (not that they're not more vulnerable in : other ways!). Therefore, it's strongly recommended that, where : practical, everyone limit SSH logins to the minimum possible number : of users via the "AllowUsers" directive. We also have a log monitor : that watches the logs (/var/log/auth.log in particular) and : blackholes hosts that seem to be trying to break in via SSH. : Great email Brett, this is ineed a true revelation we all at freebsd-security@ have been waiting for. B.T.W, did you also notice they harvest email addresses and send you useless information about products you don't need? I shit you not. One needs to be carefull since SMTP servers are avaliable by default in most BSD-ish operating systems, and this makes us a bigger target for these email bots than users of OSes that don't come with SMTP (not that they're not more vulnerable in other ways!). Cheers, Marcin.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051002224413.0c39428e.lists>