[ale] SSH attempts

Jim Kinney jim.kinney at gmail.com
Mon Sep 12 18:48:11 EDT 2011


I prefer to watch for repeated connection attempts for ssh then auto gen a
redirect rule that points back to themselves. Give that a few minutes then
redirect to nsa or chinese army.
On Sep 12, 2011 5:44 PM, "Bob Toxen" <transam at verysecurelinux.com> wrote:
> Usually the hackers will try up to 1000 passwords on common accounts. I
> know someone who had a root password of "password" and one who had
> "root1234" (without quotes) on Internet-connected *nix systems. I got
> one to change in time; the other got hacked.
>
> Unless you monitor for unsuccessful attacks you don't know how hard they
> are trying and how close they are getting.
>
> It's my experience that even many of the best System Administrators do
> not know what makes a hard-to-break password without education. I had
> the pleasure to provide that to ALE last month and it's in the book.
> Aaron should have that talk's video available some time this month for
> free viewing by ALE members.
>
>
> I highly recommend PortSentry for locking out port scanners.
>
> Moving ssh to a different port will NOT stop a hacker who knows what she
> is doing. Allowing log in only via a ssh public key or only from a
> short list of IPs with a very strong password will stop anyone (unless
> that private key or allowed IP's system is hacked).
>
> Disabling root ssh and requiring one first to ssh in through another
> account and su'ing or sudo'ing to root is not as effective as the above
> solutions and may diminish security, in my opinion.
>
> Bob Toxen
> bob at verysecurelinux.com [Please use for email to me]
> http://www.verysecurelinux.com [Network&Linux security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security
2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since
1990.
> Quality spam and virus filters.
>
> "One disk to rule them all, One disk to find them. One disk to bring
> them all and in the darkness grind them. In the Land of Redmond where
> the shadows lie...and the Eye is everwatching"
> -- The Silicon Valley Tarot Henrique Holschuh with ... Bob
>
> On Mon, Sep 12, 2011 at 03:07:26PM -0400, Rich Faulkner wrote:
>> My experience with these was that attackers were looking for an easy
>> entry. I mean EASY. And some of the companies I was working on were
>> more than easy prey...and I'm not even sure they're still in business as
>> I told them over and over again to not follow these practices. But they
>> did anyway....and for all I know they're gonners now.
>
>> One in particular (a former employer) has never changed their passwords.
>> None that I am aware of...and that's with the coming and going of many
>> an employee from engineering. This includes FTP sites for content, VPNs
>> and the main database servers. This not a major issue and a glaring
>> hole in security? But then again, I don't work there anymore and will
>> not attempt to gain access to their systems just to see if they have
>> changed the passwords.
>
>> I DID just buy BOB TOXIN's book and got it in the mail over the weekend.
>> Yeah, you Bob! Will be looking for you at an ALE Meeting soon to sign
>> it for me! (Also need the CD - BTW...it was a used book and had the
>> disk missing). But more to the original point...I would rather HACK MY
>> OWN NETWORK than hack someone else's and that's exactly what I'm about
>> to start doing. Thanks to the inspiration of the last ALE Meeting and
>> topics like this thread....
>
>> Bowing to Linux greatness in my midst....
>
>
>> On Mon, 2011-09-12 at 13:38 -0400, Michael H. Warfield wrote:
>
>> > On Mon, 2011-09-12 at 13:19 -0400, Erik Mathis wrote:
>> > > I have to disagree with you on this, as you are only concerned about
>> > > ssh. Since the remote box is most likely owned, ssh brute force
>> > > attacks is likely only going to be the first wave of hate coming from
>> > > that IP. Its best to me to just take a scorched earth approached in
>> > > these situations. Every three months or so, you can remove the ACL
>> > > (how ever you end up blocking) and see if it the hate comes back.
Auto
>> > > add rules should take care of the rest. In other words, its best to
be
>> > > prudent and proactive now, then later when your stuff is hacked and
>> > > your only left with reactive options.
>> >
>> > Ok... You guys apparently don't know what Abacus Port Sentry does.
>> > That's what it does. If it detects a port scan above a certain
>> > threshold, it blocks it out. I knew the author. I haven't played with
>> > it in years but it is very effective and is the archetype for some
>> > similar modern projects. Unless he's talking about another "Port
>> > Sentry", he's already doing what he can and denyhost and fail2ban have
>> > nothing to over over port sentry.
>> >
>> > Also, as the runner of a honeynet for well over a decade, I can tell
you
>> > this - your argument just does not hold water. I have never seen a
>> > follow up attack from correlated IP addresses on other services
>> > following unsuccessful ssh attempts. If they can't connect to ssh, I
>> > never hear from them on anything else. I have capture data going back
>> > to 1998 on my darknet. No correlation. Even if they connect to one of
>> > my honeypots (another band of addresses) they still never come back and
>> > attack on another service. It's not happening. It's a nice argument
>> > but you're just scaring away ghosts in New York City (old OLD joke).
>> > The ssh scanning that's taking place is a joke. I seriously thought
>> > they would have at least TRIED the stupid Debian bad ssh keys and my
>> > honeypots were set up to deliberately trap and log on that if any ever
>> > showed up. Nada! All I get are stoopid attempts at passwords like:
>> >
>> > password
>> > passwd
>> > toor
>> > qwert
>> > trewq
>> > poiuy
>> > yuiop
>> > 12345
>> > 09876
>> >
>> > Seriously!
>> >
>> > And they've never come back a knocking. Even on very legitimate looking
>> > honeypot systems with open services and everything.
>> >
>> > > -Erik-
>> >
>> > Regards,
>> > Mike
>> >
>> > > On Mon, Sep 12, 2011 at 12:36 PM, Michael H. Warfield <
mhw at wittsend.com> wrote:
>> > > > On Mon, 2011-09-12 at 11:59 -0400, Erik Mathis wrote:
>> > > >> Use denyhosts. Simple and really easy to use.
>> > > >
>> > > >> On Mon, Sep 12, 2011 at 11:05 AM, David Hillman <
hillmands at gmail.com> wrote:
>> > > >> > According to the PortSentry logs for my server, I have received
thousands of
>> > > >> > connection attempts via SSH port 22. Of course, that is not the
port the
>> > > >> > real SSH service is listening on. Logins were also disabled for
root.
>> > > >> > What's interesting is the IP addresses all belong to Serverloft
>> > > >> > (www.serverloft.eu); most attempts came from 188.138.32.16
>> > > >> > (loft4385.serverloft.eu). I am guessing someone with a few VPS
boxes has
>> > > >> > nothing better to do than use up network bandwidth to terrorize
the rest of
>> > > >> > us. Or, maybe those boxes have been compromised.
>> > > >> > I have e-mailed the folks over over at Serverloft, but I don't
expect
>> > > >> > anything of it. Is there anything else I can do?
>> > > >
>> > > > Hold the phone here!
>> > > >
>> > > > You guys are trying to over engineer this. Read what the OP wrote.
>> > > >
>> > > > He's got ssh running on a different port already. fail2ban and
>> > > > denyhosts will do nothing that port sentry (and I'm assuming that's
the
>> > > > old Abacus Port Sentry) and simple firewall rules won't do. All
he's
>> > > > seeing is connection ATTEMPTS. There's nothing there to connect to
so
>> > > > all he's seeing is Port Sentry logging noise. You've got it blocked
>> > > > already and the service isn't running there anyways. You don't want
the
>> > > > noise, stop logging it. That's all. You can't stop the attempts.
But
>> > > > the attempts don't result in any connections. Nothing more to do.
Move
>> > > > on.
>> > > >
>> > > > Mike
>> > > > --
>> > > > Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
>> > > > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
>> > > > NIC whois: MHW9 | An optimist believes we live in the best of all
>> > > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110912/cec1f234/attachment-0001.html 


More information about the Ale mailing list