From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 22:12:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B157D16A41F for ; Sun, 2 Oct 2005 22:12:48 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CEE543D45 for ; Sun, 2 Oct 2005 22:12:47 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 969201CC6F; Mon, 3 Oct 2005 00:12:46 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id 560F51CC6B; Mon, 3 Oct 2005 00:12:43 +0200 (CEST) Date: Mon, 3 Oct 2005 00:12:42 +0200 From: Daniel Gerzo X-Mailer: The Bat! (v3.5) UNREG / CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <1048266117.20051003001242@rulez.sk> To: Brett Glass In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, score=-3.885 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, AWL=0.514, BAYES_00=-2.599] X-Spam-Score: -3.885 X-Spam-Level: X-Mailman-Approved-At: Mon, 03 Oct 2005 11:48:46 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 22:12:48 -0000 Hello Brett, Monday, October 3, 2005, 12:01:26 AM, you wrote: > Everyone: > We're starting to see a rash of password guessing attacks via SSH > on all of our exposed BSD servers which are running an SSH daemon. > They're coming from multiple addresses, which makes us suspect that > they're being carried out by a network of "bots" rather than a single attacker. > But wait... there's more. The interesting thing about these attacks > is that the user IDs for which passwords are being guessed aren't > coming from a completely fixed list. Besides guessing at the > passwords for root, toor, news, admin, test, guest, webmaster, > sshd, and mysql, the bots are also trying to get into our mail > exchangers via user IDs which are the actual names of users for > whom the machines receive mail. In one case, we saw an attempt to > use the name of a user who hadn't been on for years but whose > address was published ONCE (according to Google and AltaVista) on > the Net. Since the attackers are not guessing at hundreds of > invalid user names, the only conclusion we can draw is that when > one of the bots attacks a mail server, it quickly tries to harvest > e-mail addresses from the server's domain from the Net and then > tries them, in the hope that those users (a) are enabled for SSH > and (b) have weak passwords. > SSH is enabled by default in most BSD-ish operating systems, and > this makes us a bigger target for these bots than users of OSes > that don't come with SSH (not that they're not more vulnerable in > other ways!). Therefore, it's strongly recommended that, where > practical, everyone limit SSH logins to the minimum possible number > of users via the "AllowUsers" directive. very nice is to use AllowUsers in form of user@host. > We also have a log monitor > that watches the logs (/var/log/auth.log in particular) and > blackholes hosts that seem to be trying to break in via SSH. I wrote a similar script. it's also in ports under security/bruteforceblocker > --Brett Glass -- Sincerely, Daniel Gerzo