hey id i know your the networking god what would do you if you saw something like this in your ssh logs? I scan back and I always find some rooted box with like 20 ports open.

Aug 28 11:45:38 mybox sshd[6443]: Invalid user staff from 210.196.204.251
Aug 28 11:45:40 mybox sshd[6445]: Invalid user sales from 210.196.204.251
Aug 28 11:45:42 mybox sshd[6447]: Invalid user recruit from 210.196.204.251
Aug 28 11:45:45 mybox sshd[6449]: Invalid user alias from 210.196.204.251
Aug 28 11:45:48 mybox sshd[6451]: Invalid user office from 210.196.204.251
Aug 28 11:45:50 mybox sshd[6453]: Invalid user samba from 210.196.204.251
Aug 28 11:45:53 mybox sshd[6455]: Invalid user tomcat from 210.196.204.251
Aug 28 11:45:55 mybox sshd[6457]: Invalid user webadmin from 210.196.204.251
Aug 28 11:45:57 mybox sshd[6459]: Invalid user spam from 210.196.204.251
Aug 28 11:46:00 mybox sshd[6461]: Invalid user virus from 210.196.204.251
Aug 28 11:46:02 mybox sshd[6463]: Invalid user cyrus from 210.196.204.251
Aug 28 11:46:05 mybox sshd[6465]: Invalid user oracle from 210.196.204.251
Aug 28 11:46:11 mybox sshd[6467]: Invalid user michael from 210.196.204.251
Aug 28 11:46:13 mybox sshd[6469]: Invalid user ftp from 210.196.204.251
Aug 28 11:46:15 mybox sshd[6471]: Invalid user test from 210.196.204.251
Aug 28 11:46:18 mybox sshd[6473]: Invalid user webmaster from 210.196.204.251
Aug 28 11:46:20 mybox sshd[6475]: Invalid user postmaster from 210.196.204.251
Aug 28 11:46:23 mybox sshd[6477]: Invalid user postfix from 210.196.204.251
Aug 28 11:46:25 mybox sshd[6479]: Invalid user postgres from 210.196.204.251
Aug 28 11:46:27 mybox sshd[6481]: Invalid user paul from 210.196.204.251
Aug 28 11:46:32 mybox sshd[6485]: Invalid user guest from 210.196.204.251
Aug 28 11:46:35 mybox sshd[6487]: Invalid user admin from 210.196.204.251
Aug 28 11:46:37 mybox sshd[6489]: Invalid user linux from 210.196.204.251
Aug 28 11:46:39 mybox sshd[6491]: Invalid user user from 210.196.204.251
Aug 28 11:46:42 mybox sshd[6493]: Invalid user david from 210.196.204.251
Aug 28 11:46:44 mybox sshd[6495]: Invalid user web from 210.196.204.251
Aug 28 11:46:46 mybox sshd[6497]: Invalid user apache from 210.196.204.251
Aug 28 11:46:49 mybox sshd[6499]: Invalid user pgsql from 210.196.204.251
Aug 28 11:46:51 mybox sshd[6501]: Invalid user mysql from 210.196.204.251
Aug 28 11:46:53 mybox sshd[6503]: Invalid user info from 210.196.204.251
Aug 28 11:46:56 mybox sshd[6505]: Invalid user tony from 210.196.204.251
Aug 28 11:46:58 mybox sshd[6507]: Invalid user core from 210.196.204.251
Aug 28 11:47:00 mybox sshd[6509]: Invalid user newsletter from 210.196.204.251
Aug 28 11:47:03 mybox sshd[6511]: Invalid user named from 210.196.204.251
Aug 28 11:47:05 mybox sshd[6513]: Invalid user visitor from 210.196.204.251
Aug 28 11:47:07 mybox sshd[6515]: Invalid user ftpuser from 210.196.204.251
Aug 28 11:47:10 mybox sshd[6517]: Invalid user username from 210.196.204.251
Aug 28 11:47:12 mybox sshd[6519]: Invalid user administrator from 210.196.204.251
Aug 28 11:47:15 mybox sshd[6521]: Invalid user library from 210.196.204.251
Aug 28 11:47:17 mybox sshd[6523]: Invalid user test from 210.196.204.251
Aug 28 11:47:24 mybox sshd[6529]: Invalid user admin from 210.196.204.251
Aug 28 11:47:26 mybox sshd[6531]: Invalid user guest from 210.196.204.251
Aug 28 11:47:29 mybox sshd[6533]: Invalid user master from 210.196.204.251
Aug 28 11:47:42 mybox sshd[6545]: Invalid user admin from 210.196.204.251
Aug 28 11:47:45 mybox sshd[6547]: Invalid user admin from 210.196.204.251
Aug 28 11:47:47 mybox sshd[6549]: Invalid user admin from 210.196.204.251
Aug 28 11:47:49 mybox sshd[6551]: Invalid user admin from 210.196.204.251
Aug 28 11:47:57 mybox sshd[6557]: Invalid user test from 210.196.204.251
Aug 28 11:47:59 mybox sshd[6559]: Invalid user test from 210.196.204.251
Aug 28 11:48:02 mybox sshd[6561]: Invalid user webmaster from 210.196.204.251
Aug 28 11:48:04 mybox sshd[6563]: Invalid user username from 210.196.204.251
Aug 28 11:48:06 mybox sshd[6565]: Invalid user user from 210.196.204.251
Aug 28 11:48:11 mybox sshd[6569]: Invalid user admin from 210.196.204.251
Aug 28 11:48:13 mybox sshd[6571]: Invalid user test from 210.196.204.251
Aug 28 11:48:23 mybox sshd[6579]: Invalid user danny from 210.196.204.251
Aug 28 11:48:25 mybox sshd[6581]: Invalid user alex from 210.196.204.251
Aug 28 11:48:28 mybox sshd[6583]: Invalid user brett from 210.196.204.251
Aug 28 11:48:30 mybox sshd[6585]: Invalid user mike from 210.196.204.251
Aug 28 11:48:33 mybox sshd[6587]: Invalid user alan from 210.196.204.251
Aug 28 11:48:35 mybox sshd[6589]: Invalid user data from 210.196.204.251
Aug 28 11:48:38 mybox sshd[6591]: Invalid user www-data from 210.196.204.251
Aug 28 11:48:40 mybox sshd[6593]: Invalid user http from 210.196.204.251
Aug 28 11:48:42 mybox sshd[6595]: Invalid user httpd from 210.196.204.251
Aug 28 11:48:52 mybox sshd[6603]: Invalid user backup from 210.196.204.251
Aug 28 11:48:55 mybox sshd[6605]: Invalid user info from 210.196.204.251
Aug 28 11:48:57 mybox sshd[6607]: Invalid user shop from 210.196.204.251
Aug 28 11:48:59 mybox sshd[6609]: Invalid user sales from 210.196.204.251
Aug 28 11:49:02 mybox sshd[6611]: Invalid user web from 210.196.204.251
Aug 28 11:49:07 mybox sshd[6615]: Invalid user wwwrun from 210.196.204.251
Aug 28 11:49:09 mybox sshd[6617]: Invalid user adam from 210.196.204.251
Aug 28 11:49:11 mybox sshd[6619]: Invalid user stephen from 210.196.204.251
Aug 28 11:49:14 mybox sshd[6621]: Invalid user richard from 210.196.204.251
Aug 28 11:49:16 mybox sshd[6623]: Invalid user george from 210.196.204.251
Aug 28 11:49:19 mybox sshd[6625]: Invalid user john from 210.196.204.251
Aug 28 11:49:24 mybox sshd[6629]: Invalid user angel from 210.196.204.251
Aug 28 11:49:28 mybox sshd[6633]: Invalid user pgsql from 210.196.204.251
Aug 28 11:49:31 mybox sshd[6635]: Invalid user mail from 210.196.204.251
Aug 28 11:49:33 mybox sshd[6637]: Invalid user adm from 210.196.204.251
Aug 28 11:49:38 mybox sshd[6639]: Invalid user ident from 210.196.204.251
Aug 28 11:49:41 mybox sshd[6641]: Invalid user webpop from 210.196.204.251
Aug 28 11:49:43 mybox sshd[6643]: Invalid user susan from 210.196.204.251
Aug 28 11:49:45 mybox sshd[6645]: Invalid user sunny from 210.196.204.251
Aug 28 11:49:47 mybox sshd[6647]: Invalid user steven from 210.196.204.251
Aug 28 11:49:50 mybox sshd[6649]: Invalid user ssh from 210.196.204.251
Aug 28 11:49:52 mybox sshd[6651]: Invalid user search from 210.196.204.251
Aug 28 11:49:54 mybox sshd[6653]: Invalid user sara from 210.196.204.251
Aug 28 11:49:57 mybox sshd[6655]: Invalid user robert from 210.196.204.251
Aug 28 11:49:59 mybox sshd[6657]: Invalid user richard from 210.196.204.251
Aug 28 11:50:02 mybox sshd[6662]: Invalid user party from 210.196.204.251
Aug 28 11:50:04 mybox sshd[6664]: Invalid user amanda from 210.196.204.251
Aug 28 11:50:06 mybox sshd[6666]: Invalid user rpm from 210.196.204.251
Aug 28 11:50:11 mybox sshd[6670]: Invalid user sgi from 210.196.204.251
Aug 28 11:50:16 mybox sshd[6674]: Invalid user users from 210.196.204.251
Aug 28 11:50:19 mybox sshd[6676]: Invalid user admins from 210.196.204.251
Aug 28 11:50:21 mybox sshd[6678]: Invalid user admins from 210.196.204.251
Aug 28 11:50:28 mybox sshd[6684]: Invalid user lp from 210.196.204.251
Aug 28 11:50:31 mybox sshd[6686]: Invalid user sync from 210.196.204.251
Aug 28 11:50:33 mybox sshd[6688]: Invalid user shutdown from 210.196.204.251
Aug 28 11:50:36 mybox sshd[6690]: Invalid user halt from 210.196.204.251
Aug 28 11:50:43 mybox sshd[6696]: Invalid user dean from 210.196.204.251
Aug 28 11:50:45 mybox sshd[6698]: Invalid user unknown from 210.196.204.251
Aug 28 11:50:47 mybox sshd[6700]: Invalid user securityagent from 210.196.204.251
Aug 28 11:50:50 mybox sshd[6702]: Invalid user tokend from 210.196.204.251
Aug 28 11:50:52 mybox sshd[6704]: Invalid user windowserver from 210.196.204.251
Aug 28 11:50:55 mybox sshd[6706]: Invalid user appowner from 210.196.204.251
Aug 28 11:50:57 mybox sshd[6708]: Invalid user xgridagent from 210.196.204.251
Aug 28 11:50:59 mybox sshd[6710]: Invalid user agent from 210.196.204.251
Aug 28 11:51:01 mybox sshd[6712]: Invalid user xgridcontroller from 210.196.204.251
Aug 28 11:51:04 mybox sshd[6714]: Invalid user jabber from 210.196.204.251
Aug 28 11:51:06 mybox sshd[6716]: Invalid user amavisd from 210.196.204.251
Aug 28 11:51:08 mybox sshd[6718]: Invalid user clamav from 210.196.204.251
Aug 28 11:51:11 mybox sshd[6720]: Invalid user appserver from 210.196.204.251
Aug 28 11:51:13 mybox sshd[6722]: Invalid user mailman from 210.196.204.251
Aug 28 11:51:15 mybox sshd[6724]: Invalid user cyrusimap from 210.196.204.251
Aug 28 11:51:18 mybox sshd[6726]: Invalid user qtss from 210.196.204.251
Aug 28 11:51:20 mybox sshd[6728]: Invalid user eppc from 210.196.204.251
Aug 28 11:51:22 mybox sshd[6730]: Invalid user telnetd from 210.196.204.251
Aug 28 11:51:25 mybox sshd[6732]: Invalid user identd from 210.196.204.251
Aug 28 11:51:27 mybox sshd[6734]: Invalid user gnats from 210.196.204.251
Aug 28 11:51:29 mybox sshd[6736]: Invalid user jeff from 210.196.204.251
Aug 28 11:51:32 mybox sshd[6738]: Invalid user irc from 210.196.204.251
Aug 28 11:51:34 mybox sshd[6740]: Invalid user list from 210.196.204.251
Aug 28 11:51:37 mybox sshd[6742]: Invalid user eleve from 210.196.204.251
Aug 28 11:51:41 mybox sshd[6746]: Invalid user sys from 210.196.204.251
Aug 28 11:51:43 mybox sshd[6748]: Invalid user zzz from 210.196.204.251
Aug 28 11:51:46 mybox sshd[6750]: Invalid user frank from 210.196.204.251
Aug 28 11:51:48 mybox sshd[6752]: Invalid user dan from 210.196.204.251
Aug 28 11:51:50 mybox sshd[6754]: Invalid user james from 210.196.204.251
Aug 28 11:51:53 mybox sshd[6756]: Invalid user snort from 210.196.204.251
Aug 28 11:51:55 mybox sshd[6758]: Invalid user radiomail from 210.196.204.251
Aug 28 11:51:57 mybox sshd[6760]: Invalid user harrypotter from 210.196.204.251
Aug 28 11:52:00 mybox sshd[6762]: Invalid user divine from 210.196.204.251
Aug 28 11:52:02 mybox sshd[6764]: Invalid user popa3d from 210.196.204.251
Aug 28 11:52:04 mybox sshd[6766]: Invalid user aptproxy from 210.196.204.251
Aug 28 11:52:07 mybox sshd[6768]: Invalid user desktop from 210.196.204.251
Aug 28 11:52:09 mybox sshd[6770]: Invalid user workshop from 210.196.204.251
Aug 28 11:52:14 mybox sshd[6774]: Invalid user nfsnobody from 210.196.204.251
Aug 28 11:52:16 mybox sshd[6776]: Invalid user rpcuser from 210.196.204.251
Aug 28 11:52:18 mybox sshd[6778]: Invalid user rpc from 210.196.204.251
Aug 28 11:52:21 mybox sshd[6780]: Invalid user gopher from 210.196.204.251

trix

DON'T USE THIS, KEEP READING THE RESET OF THE THREAD!

--
I would be my lazy self and write this script and run it out of cron every 3-5 min.

-----start script-----

#!/bin/sh

grep sshd /var/log/authlog | grep "Invalid" | awk '{print $10}' | sort | uniq -c | \
(while read num ips; do
    if [ $num -gt 5 ]; then
         if ! pfctl -s rules | grep -q $ips ; then
                pfctl -t attackers -T add $ips
        fi
    fi    
  done
)

grep sshd /var/log/authlog | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
( while read num ips; do
    if [ $num -gt 5 ]; then
         if ! pfctl -s rules | grep -q $ips ; then
                pfctl -t attackers -T add $ips 
        fi
    fi
  done
)

----end script-------------

Then I would add the following to my pf.conf

table <attackers> persist file "/etc/fuckers" #add any ip you want to block to this file

block log quick on $ext_if from { <attackers> } to any

If you're using iptables I dunno, it sucks.

You will still get connects and they are mildly annoying, but after a few min they are blocked for good.

This of course assumes you need general access to ssh from anywhere... if you only come from set addresses you should block all ssh connections from non-trusted sources.

-id



Edited 1 time(s). Last edit at 07/13/2008 02:18PM by id.

well now im using pf because im eager to see your tutorial if you write one but im looking up tutorials right now so maybe ill have some pf up and runing soon

trix

That script could probably be improved, and yeah I need to write up tutorial, or at least an explanation of how we are utilizing pf...

-id

i would use fwknop (single packet authorization) which is an advanced form of portknocking. portknocking can be as simple as a script that sits in front of your sshd.

i had some recursive thinking the other day that led me to envision a future where even http was restricted behind a portknocker (because of the current day proliferation of web application attacks). for example, it would be similar to the CVV2 (3 digit number on the back of MC/Discovery/VISAs, or the similar 4 digit CID number on the front of AMEXes) on your credit card is a 3DES cipher of your card number and your banks give you that in the mail.

why couldn't banks just give out online banking cards that contain your private key to a portknocking system... every user could be on his/her own IP/Port or even something like a hidden Tor node. imagine taking the chroot/jail/grsecurity concept to the network level...

I have a few accounts on my SSH server set up with a password of "password", running a fake bash shell which logs any commands and returns an error message. Very few people actually attempt to do anything once they find an open account, so I wouldn't worry about it too much (unless your password is "password", the name of the user, or "test".)

Changing sshd to an off port usually helps unless the attack is actually targeted at you.

I like id's suggestion too. Sucks if you lock yourself out though. Just takes one mistyped password in an sftp client.

- QnJpYW5XR3JheUBnbWFpbC5jb20=

takes 5 mistyped ones with my script, but it really isn't the best way to do things in the long run, if someone exploited that script you might have even bigger problems. A clever attacker could change his username to exploit the un-sanitized input from the authlog.

That was just an example, the real fix is for sshd to be changed to rate limit incoming connections and maybe work with pf to perma block obnoxious attackers.

-id

Check this out:

http://www.fail2ban.org/wiki/index.php/Main_Page

=======================
http://www.hackosis.com

I'd downloaded it in the past and checked it out, but it was pretty obvious it was vulnerable in the same way the little script above is.

http://www.ossec.net/en/attacking-loganalysis.html

It looks like they fixed it, but I wouldn't trust fail2ban until I audited it myself.

-id

Just a quick update in case someone hits this thread, I think this is the most correct solution I have seen so far.

http://johan.fredin.info/openbsd/block_ssh_bruteforce.html

-id

the solution of limiting the connection rate is inherently flawed, it only limits the rate of 'acceptable' bruteforce, which will have a higher false positive effect (overcafeinated, sleepless admin is a good exemple of somebody who can look like a bruteforce :) when lowering the max-src-conn-rate

actually the only fun AND heavyweight option i have found is to deceipt & divert to either a blackhole route (for the quick and dirty), low interaction honeypot (LaBrea is an excellent tarpit for TCP) or for the real bored, a high interaction one, (linux disk image, regenerated every hour, with a uni-directionnal full logging system)

the problem is :

detecting the bruteforce attempt (or flood, or portscan or whatever)

transparently NATing on the fly to your random countermeasure

monitor and report your counter measure condition.

here's a quick example


[ ] [ ] [ ]
[ INTERNET ]<=======>[NIDS/FIREWALL]<=========>[RANDOM LEGIT SUBNET]
[ THERE BE DRAGONS ] [ ] [ ]
[ ] [ ] [ ]
|
|
|
[ ]
[ HONEYPOT ]
[ ]


ok, i must admit, my ascii art gets worst and worst. but whatever.

so here is the scenario :

a small number of service (let's say just ssh and http/https) are opened in the legit subnet

the logical behavior should be to forcefully deny any other service at the firewall level. but we're not really logical.

we just NAT *everything else* to the honeypot *and* we insert each IP being NATed to the honeypot in a list (when if first implemented this it was for a IPTable configuration, so it was in fact handing the IPs to a perl script taking care of maintening a file list, and checking against it. slow if not in a ram tmpfs)

now back to the ssh bruteforce.

what's doing the NIDS in the meantime ? his work. monitoring packets, magically dissecting them, and plenty of other mem hungry stuff. but hey, what's this IP trying to connect with *12* different user on the ssh server ?
now the offender IP gets in the magic list, and all his bruteforce attempt (which we can stop. or not.) will get NATed to our counter measure host. if you are using LaBREA it will *really* slow it down. if you are using a blackhole route, well, it will be... blackholed (thanks captain obvious ! have this rock), and an high interaction one opens many fun possibilities (if it was a botnet, you now have a live agent to play with, if it was a 0-day (assuming *of course* it didn't target the real services, which statistically would be a slight chance), you have a new 0-day to play with, etc...

hope it helps

Malkav

You're way over thinking this, the goal was to reduce log files, so limiting the rate of brute force is a fine solution.

_If_ the problem was users on the system that potentially had weak passwords, then there might be other considerations, but use keys or complex passwords and don't worry about it.

-id

of course this is like using a full tank compagny to crush one student, but it has the advantage of taking care of network level attacks and plaintext applicative attacks on a early basis. and you could take care of the encrypted payloads by letting a box before the NIDS, and forwarding the plaintext to the server (varnish is quite a killer for reverse proxying)

i realize that it is clearly a heavyweight setup, but i think it is an interesting setup to deploy, and should prevent the majority of network based attacks. of course the standard security measures like patching, password strenght checking and the like are still necessary. one question that i am still on is that those stupid ssh bruteforce bot are *very* active. but since 4 years it's still the same users, and the same dictionnary password. wtf ?

could it be the same worm from the start ? that would be quite strange, the samples i have acquired having *no* payload at all...

I agree, I think this is a very simple solution and everyone is thinking way to hard.. nice little script tho id.

This is what you get for running SSH on the default port on a public IP, and not firewall SSH off to a subnet or two...

I will not help you more then I just did. Shame on you.

Thats like having OpenVPN running and not firewalled off...
/me whistles...

changing the default port is not a solution to anything, and some services *have* to be generally available or they offer no value, such as OpenVPN and ssh, the goal is to secure the services you *have* to have out there.

No company of any size can lock down access services to just a subnet or two, doesn't work that way.

-id

How is it, asia needs to be able to reach his sshd ? How about russia, or ukraine (no offense anyone)? Is he going there? Ir he a multi-namtional company?

Even if he was a multinational company, it would have static IPs, the kind that can be savle added to remote firewalls that may say filter access to OpenVPN or SSHd..


SSH, VPN, RDP go not *have* to be generally available.

The goal, is to secure everything; at least mine is.

I mean do what ever you want...

but you will not catch me running any remote control services...

FYI----
do a whois on the ip in his logs, what a suprise...
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
(no offense)

Ok, fact of the matter is people who are going to scan for SSHds to brute force are not going to scan 65535 ports on a host before moving on the the next one. They are just going to hit tcp/22. thats it. either you tell the world you are running an sshd and the version of it, and likely the OS as well or you don't.

I do not want to seem confrontational, I am just engaging a discussion of different opinions.

but your comment on " No company of any size can lock down access services to just a subnet or two, doesn't work that way."

Any company that can not control the presence of their infrastructure is doomed. Administration should not even happen remotely unless via VPN. When there is a will there is a way.

MAdhaTTer-240 Wrote:
-------------------------------------------------------
> Ok, fact of the matter is people who are going to
> scan for SSHds to brute force are not going to
> scan 65535 ports on a host before moving on the
> the next one. They are just going to hit tcp/22.
> thats it. either you tell the world you are
> running an sshd and the version of it, and likely
> the OS as well or you don't.

If your worried about being caught with an exploitable version of ssh by a bot, or just don't want to worry about your logs filling up, sure, go ahead and change the port and train your entire staff to modify every ssh client that they might use to get into your network with. But those are the *only* reasons to do it, security is not a reason to do it.

Any directed attack you're going to worry about is going hit more than just a single port, changing ports is not a security enhancement.

> but your comment on " No company of any size can
> lock down access services to just a subnet or two,
> doesn't work that way."
>
> Any company that can not control the presence of
> their infrastructure is doomed. Administration
> should not even happen remotely unless via VPN.
> When there is a will there is a way.

If your company needs remote access, and the source addresses of those connections are not known beforehand, the company will open up access from *any* source. That's how it works. You could try and blacklist the Ukraine, but in the end we all know blacklisting isn't security, it's convenience.

My company is only 5 people, but in any given month we'll ssh/vpn from Asia, Europe, and all over North America, there is no way to know what source network we will be coming from, so I have to have *some* service available from *anywhere*. Sure I could either use just VPN or just SSH, but both can be secured well enough with proper controls. Though using two methods of access leads to a slight theoretical decrease in security, in practice the value to our company in having the flexibility far outweighs that slight risk.

Security isn't shutting off services, it's managing the balance between risks and value.

-id

I respect you opinion. I will of course stick to doiong it my way... but that is neither here.