Repeated attacks via SSH

Daniel Gerzo danger at rulez.sk
Sun Oct 2 15:12:48 PDT 2005 

Hello Brett,

Monday, October 3, 2005, 12:01:26 AM, you wrote:

> Everyone:

> We're starting to see a rash of password guessing attacks via SSH 
> on all of our exposed BSD servers which are running an SSH daemon. 
> They're coming from multiple addresses, which makes us suspect that 
> they're being carried out by a network of "bots" rather than a single attacker.

> But wait... there's more. The interesting thing about these attacks 
> is that the user IDs for which passwords are being guessed aren't 
> coming from a completely fixed list. Besides guessing at the 
> passwords for root, toor, news, admin, test, guest, webmaster, 
> sshd, and mysql, the bots are also trying to get into our mail 
> exchangers via user IDs which are the actual names of users for 
> whom the machines receive mail. In one case, we saw an attempt to 
> use the name of a user who hadn't been on for years but whose 
> address was published ONCE (according to Google and AltaVista) on 
> the Net. Since the attackers are not guessing at hundreds of 
> invalid user names, the only conclusion we can draw is that when 
> one of the bots attacks a mail server, it quickly tries to harvest 
> e-mail addresses from the server's domain from the Net and then 
> tries them, in the hope that those users (a) are enabled for SSH 
> and (b) have weak passwords.

> SSH is enabled by default in most BSD-ish operating systems, and 
> this makes us a bigger target for these bots than users of OSes 
> that don't come with SSH (not that they're not more vulnerable in 
> other ways!). Therefore, it's strongly recommended that, where 
> practical, everyone limit SSH logins to the minimum possible number 
> of users via the "AllowUsers" directive.

very nice is to use AllowUsers in form of user at host.

> We also have a log monitor
> that watches the logs (/var/log/auth.log in particular) and 
> blackholes hosts that seem to be trying to break in via SSH.

I wrote a similar script. it's also in ports under
security/bruteforceblocker

> --Brett Glass

-- 
Sincerely,
  Daniel Gerzo

More information about the freebsd-security mailing list