Date: Sun, 2 Oct 2005 15:08:45 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: brett@lariat.org Cc: freebsd-security@FreeBSD.org Subject: Re: Repeated attacks via SSH Message-ID: <200510022208.j92M8joS016722@gw.catspoiler.org> In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost>
index | next in thread | previous in thread | raw e-mail
On 2 Oct, Brett Glass wrote: > Everyone: > > We're starting to see a rash of password guessing attacks via SSH > on all of our exposed BSD servers which are running an SSH daemon. > They're coming from multiple addresses, which makes us suspect that > they're being carried out by a network of "bots" rather than a single attacker. > > But wait... there's more. The interesting thing about these attacks > is that the user IDs for which passwords are being guessed aren't > coming from a completely fixed list. Besides guessing at the > passwords for root, toor, news, admin, test, guest, webmaster, > sshd, and mysql, the bots are also trying to get into our mail > exchangers via user IDs which are the actual names of users for > whom the machines receive mail. In one case, we saw an attempt to > use the name of a user who hadn't been on for years but whose > address was published ONCE (according to Google and AltaVista) on > the Net. Since the attackers are not guessing at hundreds of > invalid user names, the only conclusion we can draw is that when > one of the bots attacks a mail server, it quickly tries to harvest > e-mail addresses from the server's domain from the Net and then > tries them, in the hope that those users (a) are enabled for SSH > and (b) have weak passwords. > > SSH is enabled by default in most BSD-ish operating systems, and > this makes us a bigger target for these bots than users of OSes > that don't come with SSH (not that they're not more vulnerable in > other ways!). Therefore, it's strongly recommended that, where > practical, everyone limit SSH logins to the minimum possible number > of users via the "AllowUsers" directive. We also have a log monitor > that watches the logs (/var/log/auth.log in particular) and > blackholes hosts that seem to be trying to break in via SSH. It's also a good idea to only allow public key authentication from remote hosts. This avoids the risks of password guessing and password capture by shoulder surfers or key loggers.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510022208.j92M8joS016722>