Repeated attacks via SSH
lists at yazzy.org
Sun Oct 2 15:44:47 PDT 2005
On Sun, 02 Oct 2005 16:01:26 -0600
Brett Glass <brett at lariat.org> wrote:
: We're starting to see a rash of password guessing attacks via SSH
: on all of our exposed BSD servers which are running an SSH daemon.
: They're coming from multiple addresses, which makes us suspect that
: they're being carried out by a network of "bots" rather than a single
: But wait... there's more. The interesting thing about these attacks
: is that the user IDs for which passwords are being guessed aren't
: coming from a completely fixed list. Besides guessing at the
: passwords for root, toor, news, admin, test, guest, webmaster,
: sshd, and mysql, the bots are also trying to get into our mail
: exchangers via user IDs which are the actual names of users for
: whom the machines receive mail. In one case, we saw an attempt to
: use the name of a user who hadn't been on for years but whose
: address was published ONCE (according to Google and AltaVista) on
: the Net. Since the attackers are not guessing at hundreds of
: invalid user names, the only conclusion we can draw is that when
: one of the bots attacks a mail server, it quickly tries to harvest
: e-mail addresses from the server's domain from the Net and then
: tries them, in the hope that those users (a) are enabled for SSH
: and (b) have weak passwords.
: SSH is enabled by default in most BSD-ish operating systems, and
: this makes us a bigger target for these bots than users of OSes
: that don't come with SSH (not that they're not more vulnerable in
: other ways!). Therefore, it's strongly recommended that, where
: practical, everyone limit SSH logins to the minimum possible number
: of users via the "AllowUsers" directive. We also have a log monitor
: that watches the logs (/var/log/auth.log in particular) and
: blackholes hosts that seem to be trying to break in via SSH.
Great email Brett, this is ineed a true revelation we all at
freebsd-security@ have been waiting for.
B.T.W, did you also notice they harvest email addresses and send you
useless information about products you don't need?
I shit you not.
One needs to be carefull since SMTP servers are avaliable by default in
most BSD-ish operating systems, and this makes us a bigger target for
these email bots than users of OSes that don't come with SMTP (not that
they're not more vulnerable in other ways!).
More information about the freebsd-security