[SUMMARY: distributed ssh attacks]

From: Chris Hoogendyk <hoogendyk_at_bio.umass.edu>
Date: Fri Oct 09 2009 - 11:45:34 EDT
Original message at bottom.

23 replies. Multiple suggestions, most repeated by multiple people. 
Nothing that I had just totally overlooked, so that's the good news. 
Thanks to all. Here is a summary of suggestions, what I ended up doing, 
and why.

It being a long list of suggestions, I'll do a quick summary by saying 
that I gave a list of upwards of 1000 IPs to the sysadmin who manages 
our firewalls and filtering bridges. It was put into a table 
<block-total>, and I haven't seen a hit since. Protects all ports on all 
our servers from those IPs.

Detailed summary of suggestions:

1. add a fake route to 127.0.0.1. I decided this was a bad idea for 
several reasons. A bunch of services use localhost for connections, and 
it bothers me to be sending replies to outside traffic down that path. 
As I checked into it, I also saw some comments that 0.0.0.0 was more 
appropriate. But neither really works for me, because many of those 
addresses don't look up in DNS. If I had paranoid on, they'd get 
dropped; but, then, things like Verizon would periodically get dropped 
as well, and my faculty would complain that they couldn't get in from home.

2. http://denyhost.sourceforge.net. I really liked this one and it's 
approach. It scans authlog, shares information with others, and puts 
entries into hosts.deny, so that tcp_wrappers ends up dropping them. The 
only thing I didn't like was that it is in python. I don't really want 
to install python and its host of pieces on my intentionally minimized 
server. Had it been in perl, I would have grabbed it in a minute.

3. change the sshd listening port from 22 to something else. I'm sure 
that would drop a lot of poking at my server, but it would also cause 
havoc among faculty and grad students who want to focus on their data 
and research and would get tangled up and messed up trying to remember 
what port I put ssh on and how to make their software connect to that 
port. Serving an academic department, I really have to weigh ease of use 
and service more heavily than some sysadmins might in other environments.

4. Block wide ranges of the internet (say, everything but the U.S., 
specific countries, or even totally outside my own building). Can't do 
this. I have faculty who travel to meetings and do research in places 
like Japan, China, Russia, Brazil, and many more. They have to remain 
connected.

5. Disable password authentication and require RSA keys, at least 2048 
bits. Again, I would create havoc among faculty and grad students. Not 
only that, but sometimes, at meetings they are using borrowed equipment. 
I certainly don't want RSA keys floating around on borrowed equipment.

6. Use Linux for public facing servers? I thought this was the Sun 
Managers list. I got a couple of these.

7. Ignore them. Especially if they are banging on root and that is not 
allowed. Of course, if they start hitting regular user names, that's 
another story. Run John the Ripper against your passwd file and have a 
talk with any users who are easily vulnerable.

8. Rate limit ssh connections using something like fail2ban -- 
http://en.wikipedia.org/wiki/Fail2ban.

9. Home grown perl script that is similar to denyhosts. Ric Anderson 
sent me his script when I asked for it. I may adapt it to my own use 
when I have more time.

10. Block them in your firewall. Turns out this is what I ended up 
doing. We have a number of OpenBSD systems that serve functions like 
filtering bridges and such. I used basic unix tools to grep the console 
output, edit it down to a list of IPs, and passed it along to the 
network admin who controls those boxes. They were put in a table named 
<block-total> and disappeared from view. This ends up protecting not 
just ssh on my one server, but all ports on all our servers. There ended 
up being on the order of just under 1000 IP addresses.

Note: One respondent said this was most unlikely to be a distributed 
attack, as such. hmm. Upwards of 1000 IP addresses taking turns hitting 
root on my server. Not a distributed attack. hmm.

11. Use JASS -- http://www.sun.com/software/security/jass/. I've chosen 
not to use this in the past, because I like to be in manual control of 
how my systems are tightened down. There are also some things that are 
recommended for security that I can't do in my environment.

I think I caught all the suggestions.



-- 
---------------
Chris Hoogendyk
-
  O__  ---- Systems Administrator
 c/ /'_ --- Biology & Geology Departments
(*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk@bio.umass.edu>
---------------
Erdvs 4








-------- Original Message --------
Subject: 	distributed ssh attacks
Date: 	Tue, 06 Oct 2009 13:40:35 -0400
From: 	Chris Hoogendyk <hoogendyk@bio.umass.edu>
To: 	Sun Managers List <sunmanagers@sunmanagers.org>



So, I have a server. Just brought some of its services up live and 
official, replacing the older server's corresponding services. For the 
last few days, it has been experiencing a distributed ssh attack. In 
some sense I suppose it is no big deal, but it sure gets your hackles 
and paranoia up. I wanted to check with the list and see what other 
people are doing about this sort of thing.

My server is a T5220. I have Solaris 10 5/09 with fairly recent patches. 
I started with the minimal network install and added only those things I 
needed. No GUI or GUI components of any sort. Even my CAM is a command 
line only install. I followed the Center for Internet Security Solaris 
10 Benchmark for locking it down, and just reviewed the ssh section of 
that to make sure.

I don't allow root logins aside from the console, require protocol 2, . 
. . well, actually, here are the non-comment lines in my sshd_config:

Protocol 2
Port 22
ListenAddress 0.0.0.0
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
Banner /etc/issue
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries    3
MaxAuthTriesLog 2
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes
PermitRootLogin no
Subsystem       sftp    /usr/lib/ssh/sftp-server
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes

My question to the list is, "What are you doing (or what would you do) 
about these kinds of attacks?"

(a bit of the console log is copied at the end)


-- 
---------------

Chris Hoogendyk

-
   O__  ---- Systems Administrator
  c/ /'_ --- Biology & Geology Departments
 (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst 

<hoogendyk@bio.umass.edu>

--------------- 

Erdvs 4



Oct  6 11:48:32 shalmaneser sshd[23947]: Failed keyboard-interactive for root from 80.51.31.84 port 39308 ssh2
Oct  6 11:49:49 shalmaneser sshd[23953]: Failed keyboard-interactive for root from 190.146.68.247 port 55358 ssh2
Oct  6 11:51:34 shalmaneser sshd[23959]: Failed keyboard-interactive for root from 202.111.157.52 port 48200 ssh2
Oct  6 11:53:20 shalmaneser sshd[23966]: Failed keyboard-interactive for root from 220.165.9.233 port 59977 ssh2
Oct  6 11:54:54 shalmaneser sshd[23975]: Failed keyboard-interactive for root from 202.78.239.203 port 9519 ssh2
Oct  6 11:56:37 shalmaneser sshd[23982]: Failed keyboard-interactive for root from 200.146.104.143 port 51734 ssh2
Oct  6 11:58:21 shalmaneser sshd[23990]: Failed keyboard-interactive for root from 212.92.194.5 port 37041 ssh2
Oct  6 12:00:04 shalmaneser sshd[23996]: Failed keyboard-interactive for root from 211.154.254.120 port 51190 ssh2
Oct  6 12:01:38 shalmaneser sshd[24003]: Failed keyboard-interactive for root from 85.127.196.141 port 59232 ssh2
Oct  6 12:03:26 shalmaneser sshd[24009]: Failed keyboard-interactive for root from 58.60.106.119 port 40260 ssh2
Oct  6 12:05:23 shalmaneser sshd[24019]: Failed keyboard-interactive for root from 83.18.167.138 port 59038 ssh2
Oct  6 12:06:54 shalmaneser sshd[24029]: Failed keyboard-interactive for root from 201.26.144.186 port 36483 ssh2
Oct  6 12:08:32 shalmaneser sshd[24036]: Failed keyboard-interactive for root from 213.135.245.254 port 38602 ssh2
Oct  6 12:10:12 shalmaneser sshd[24044]: Failed keyboard-interactive for root from 84.55.112.13 port 60105 ssh2
Oct  6 12:11:58 shalmaneser sshd[24052]: Failed keyboard-interactive for root from 61.131.208.44 port 56031 ssh2
Oct  6 12:13:38 shalmaneser sshd[24067]: Failed keyboard-interactive for root from 190.12.86.132 port 25219 ssh2
Oct  6 12:15:09 shalmaneser sshd[24073]: Failed keyboard-interactive for root from 211.227.67.205 port 35465 ssh2
Oct  6 12:16:51 shalmaneser sshd[24079]: Failed keyboard-interactive for root from 212.92.194.5 port 51899 ssh2
Oct  6 12:18:44 shalmaneser sshd[24120]: Failed keyboard-interactive for root from 61.131.208.44 port 43921 ssh2
Oct  6 12:20:18 shalmaneser sshd[24129]: Failed keyboard-interactive for root from 88.54.58.190 port 26623 ssh2
Oct  6 12:21:53 shalmaneser sshd[24135]: Failed keyboard-interactive for root from 74.218.172.158 port 51741 ssh2
Oct  6 12:23:46 shalmaneser sshd[24148]: Failed keyboard-interactive for root from 200.111.188.178 port 63561 ssh2
Oct  6 12:27:00 shalmaneser sshd[24156]: Failed keyboard-interactive for root from 213.135.245.254 port 49127 ssh2
Oct  6 12:28:55 shalmaneser sshd[24165]: Failed keyboard-interactive for root from 83.18.167.138 port 43927 ssh2
Oct  6 12:30:25 shalmaneser sshd[24179]: Failed keyboard-interactive for root from 61.107.16.33 port 36762 ssh2
Oct  6 12:32:09 shalmaneser sshd[24187]: Failed keyboard-interactive for root from 80.34.55.88 port 44541 ssh2
Oct  6 12:33:54 shalmaneser sshd[24203]: Failed keyboard-interactive for root from 87.96.210.119 port 55627 ssh2
Oct  6 12:35:29 shalmaneser sshd[24209]: Failed keyboard-interactive for root from 190.146.69.104 port 60883 ssh2
Oct  6 12:37:24 shalmaneser sshd[24223]: Failed keyboard-interactive for root from 200.102.77.173 port 3815 ssh2
Oct  6 12:38:51 shalmaneser sshd[24233]: Failed keyboard-interactive for root from 122.224.128.197 port 55027 ssh2
Oct  6 12:40:35 shalmaneser sshd[24239]: Failed keyboard-interactive for root from 82.76.170.45 port 45967 ssh2
Oct  6 12:42:20 shalmaneser sshd[24247]: Failed keyboard-interactive for root from 77.195.191.238 port 14133 ssh2
Oct  6 12:45:37 shalmaneser sshd[24258]: Failed keyboard-interactive for root from 218.30.57.219 port 54349 ssh2
Oct  6 12:47:22 shalmaneser sshd[24272]: Failed keyboard-interactive for root from 194.224.118.61 port 52079 ssh2
Oct  6 12:49:06 shalmaneser sshd[24280]: Failed keyboard-interactive for root from 82.98.78.31 port 37577 ssh2
Oct  6 12:50:39 shalmaneser sshd[24286]: Failed keyboard-interactive for root from 70.43.86.34 port 36889 ssh2
Oct  6 12:52:26 shalmaneser sshd[24302]: Failed keyboard-interactive for root from 218.30.57.219 port 50397 ssh2
Oct  6 12:54:12 shalmaneser sshd[24325]: Failed keyboard-interactive for root from 203.197.128.205 port 43751 ssh2
Oct  6 12:56:40 shalmaneser sshd[24341]: Failed keyboard-interactive for root from 83.18.104.202 port 47240 ssh2
Oct  6 12:57:27 shalmaneser sshd[24357]: Failed keyboard-interactive for root from 121.157.1.238 port 33361 ssh2
Oct  6 12:59:19 shalmaneser sshd[24366]: Failed keyboard-interactive for root from 87.96.210.119 port 45700 ssh2
Oct  6 13:00:57 shalmaneser sshd[24373]: Failed keyboard-interactive for root from 200.21.104.66 port 17791 ssh2
Oct  6 13:02:34 shalmaneser sshd[24390]: Failed keyboard-interactive for root from 82.207.102.225 port 46400 ssh2
Oct  6 13:04:26 shalmaneser sshd[24399]: Failed keyboard-interactive for root from 79.190.62.178 port 35111 ssh2
Oct  6 13:06:21 shalmaneser sshd[24410]: Failed keyboard-interactive for root from 80.24.81.242 port 52693 ssh2
Oct  6 13:07:47 shalmaneser sshd[24417]: Failed keyboard-interactive for root from 61.107.16.33 port 48868 ssh2
Oct  6 13:09:23 shalmaneser sshd[24429]: Failed keyboard-interactive for root from 116.10.195.5 port 51902 ssh2
Oct  6 13:11:11 shalmaneser sshd[24443]: Failed keyboard-interactive for root from 61.172.200.198 port 40218 ssh2
Oct  6 13:12:47 shalmaneser sshd[24457]: Failed keyboard-interactive for root from 82.98.78.31 port 56351 ssh2
Oct  6 13:14:25 shalmaneser sshd[24472]: Failed keyboard-interactive for root from 203.169.195.31 port 55947 ssh2
Oct  6 13:16:06 shalmaneser sshd[24481]: Failed keyboard-interactive for root from 217.147.21.166 port 16015 ssh2
Oct  6 13:17:52 shalmaneser sshd[24487]: Failed keyboard-interactive for root from 202.111.157.52 port 49067 ssh2
Oct  6 13:19:38 shalmaneser sshd[24516]: Failed keyboard-interactive for root from 222.210.17.151 port 47198 ssh2
Oct  6 13:21:19 shalmaneser sshd[24533]: Failed keyboard-interactive for root from 80.34.55.88 port 56931 ssh2
Oct  6 13:22:59 shalmaneser sshd[24551]: Failed keyboard-interactive for root from 211.227.67.205 port 39655 ssh2
Oct  6 13:24:46 shalmaneser sshd[24569]: Failed keyboard-interactive for root from 148.244.228.152 port 35310 ssh2
Oct  6 13:26:24 shalmaneser sshd[24577]: Failed keyboard-interactive for root from 212.92.194.5 port 37391 ssh2
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri Oct 9 11:46:45 2009

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:15 EST