Incidents
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 09:07PM
Gary Baribault (gary baribault net)
Yeah, but I'm a masochist, I run these servers for the fun of it and to
see what's happening on the net. I see all of the background static and
every now and again I see somehting fun like this!

Gary Baribault
Courriel: gary (at) baribault (dot) net [email concealed]
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013

Darren Bolding wrote:
> And, not to pretend that it adds any great additional security to any
> sort of attack, but running sshd on a non-standard port reduces the
> number of scans/attacks I see dramatically- to the point that I
> actually rarely see any connection attempts from anyone other than
> authorized users. It's simple, fast and doesn't require any packages
> installed or anything.
>
> But that may not be an option for all user communities.
>
> --D
>
> On Wed, May 7, 2008 at 10:53 AM, Erin Carroll <amoeba (at) amoebazone (dot) com [email concealed]
> <mailto:amoeba (at) amoebazone (dot) com [email concealed]>> wrote:
>
> Gary,
>
> I am seeing the exact same traffic pattern & attempts as of
> ~10:20pm PST:
> Single attempts to remote root ssh from disparate IP's with few
> (if any)
> repeated source location. So now we have a sample size of 2 :)
>
> When I saw this hitting my servers last night I thought it an odd
> attack
> pattern but surmised it was either a targeted slow attack with
> spoofed IP's
> or a "slow roll" botnet using throttled connects to try flying
> under the
> radar for alerting. I was leaning toward the latter and even more
> so now
> that I see my organization isn't the only one.
>
> Just block root ssh and apply a source IP whitelist for valid non-root
> allows if you require remote ssh for day to day. I consider it bad
> security
> practice to allow remote root ssh anyway. People should use user
> accounts
> and a sane sudoers config instead.
>
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba (at) amoebazone (dot) com [email concealed] <mailto:amoeba (at) amoebazone (dot) com [email concealed]>
> "Do Not Taunt Happy-Fun Ball"
>
>
>
> -----Original Message-----
> From: Gary Baribault [mailto:gary (at) baribault (dot) net [email concealed]
> <mailto:gary (at) baribault (dot) net [email concealed]>]
> Sent: Wednesday, May 07, 2008 5:27 AM
> To: incidents (at) securityfocus (dot) com [email concealed] <mailto:incidents (at) securityfocus (dot) com [email concealed]>
> Subject: Weird SSH attack last night and this morning (still ongoing)
>
> I don't know what is going on last night and this morning ... I have
> three Linux servers facing the Internet, two on cable modems and
> another
> on a static IP/commercial connection and this last one is a
> gateway to a
> Web/FTP/SMTP/Pop3/NTP Linux based system.
>
> I have DenyHosts installed on all three and have blocked about 75
> attempts .. from known compromised adresses .. The log shows
> (obviously) that there where even more attempts from adresses that are
> unknown to DenyHosts but there was only one login attemps per
> adress and
> it was with the Root account .. which is obviously blocked in my sshd
> config ..
>
> Of the three machines, one of them only had about 10 attempts, but the
> other two had about 200 attempts .. all of them with only 1 try
> with the
> user Root ..
>
> Is any one else seing this? or am I being targeted? This is still
> going
> on now .. and it started arround 10:00 last night GMT+4
>
> --
> Gary Baribault
> Courriel: gary (at) baribault (dot) net [email concealed] <mailto:gary (at) baribault (dot) net [email concealed]>
> GPG Key: 0x4346F013
> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>
>
>
>
> --
> -- Darren Bolding --
> -- darren (at) bolding (dot) org [email concealed] <mailto:darren (at) bolding (dot) org [email concealed]> --

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus