From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:44:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9265B16A41F for ; Sun, 2 Oct 2005 22:44:47 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from mail.yazzy.org (mail.yazzy.org [217.8.140.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCB6F43D5A for ; Sun, 2 Oct 2005 22:44:45 +0000 (GMT) (envelope-from lists@yazzy.org) Received: from lapdance.yazzy.net (unknown [192.168.99.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yazzy.org (Postfix) with ESMTP id 8284D39829; Mon, 3 Oct 2005 00:44:35 +0200 (CEST) Date: Sun, 2 Oct 2005 22:44:13 +0000 From: Marcin Jessa To: Brett Glass Message-Id: <20051002224413.0c39428e.lists@yazzy.org> In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost> Organization: YazzY.org X-Mailer: Sylpheed version 2.0.2 (GTK+ 2.6.10; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, flynn@energyhq.es.eu.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:44:47 -0000 On Sun, 02 Oct 2005 16:01:26 -0600 Brett Glass wrote: : Everyone: : : We're starting to see a rash of password guessing attacks via SSH : on all of our exposed BSD servers which are running an SSH daemon. : They're coming from multiple addresses, which makes us suspect that : they're being carried out by a network of "bots" rather than a single attacker. : : But wait... there's more. The interesting thing about these attacks : is that the user IDs for which passwords are being guessed aren't : coming from a completely fixed list. Besides guessing at the : passwords for root, toor, news, admin, test, guest, webmaster, : sshd, and mysql, the bots are also trying to get into our mail : exchangers via user IDs which are the actual names of users for : whom the machines receive mail. In one case, we saw an attempt to : use the name of a user who hadn't been on for years but whose : address was published ONCE (according to Google and AltaVista) on : the Net. Since the attackers are not guessing at hundreds of : invalid user names, the only conclusion we can draw is that when : one of the bots attacks a mail server, it quickly tries to harvest : e-mail addresses from the server's domain from the Net and then : tries them, in the hope that those users (a) are enabled for SSH : and (b) have weak passwords. : : SSH is enabled by default in most BSD-ish operating systems, and : this makes us a bigger target for these bots than users of OSes : that don't come with SSH (not that they're not more vulnerable in : other ways!). Therefore, it's strongly recommended that, where : practical, everyone limit SSH logins to the minimum possible number : of users via the "AllowUsers" directive. We also have a log monitor : that watches the logs (/var/log/auth.log in particular) and : blackholes hosts that seem to be trying to break in via SSH. : Great email Brett, this is ineed a true revelation we all at freebsd-security@ have been waiting for. B.T.W, did you also notice they harvest email addresses and send you useless information about products you don't need? I shit you not. One needs to be carefull since SMTP servers are avaliable by default in most BSD-ish operating systems, and this makes us a bigger target for these email bots than users of OSes that don't come with SMTP (not that they're not more vulnerable in other ways!). Cheers, Marcin.