Kauft das PHP-Sicherheitsbuch!

Dritte Auflage

Jetzt bestellen!

ISBN-13: 978-3898643696
€ 36,00

Links

XING
(Profil nur für Xing-Mitglieder sichtbar)
Rootserver, Colocation, Hosting
My amazon wishlist
VServer Hosting

Pages

Frontpage
About Christopher Kunz
Kontaktformular

Syndicate This Blog

Monday, December 8. 2008

Distributed and coordinated SSH bruteforce attacks

For a very long time, SSH bruteforce attacks belonged to the normal noise for any system with internet connectivity - much like portscans and other protocol brute forcing. There are a couple of rather effective countermeasures, the most notable being

  • DenyHosts - automatically greps syslog for SSH bruteforce activity above a configurable threshold and updates /etc/hosts.deny with those addresses. Has a timeout feature too
  • Fail2Ban - pretty much the same, only feeds iptables.

Both are available in your package repository of choice (mine being apt).

However, the last months saw a steady decline in the success rate for these blacklist-based systems. Using a centralized blacklist provided by a third party didn’t help much either (and can be a serious security problem in itself). This is mainly to a shift in bruteforce patterns deliberately implemented by the botnet herders who perform the brute force attacks.
A couple of months ago, each attacking IP address tried a number of user names or numerous passwords for the same username:
vsftpd:
Unknown Entries:
check pass; user unknown: 8183 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=210.41.224.178 : 2283 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=abby rhost=64.235.56.178 : 6 Time(s) (This IP address tried numerous user names for a total of 6000 tries)
(Logwatch from April, 2008)

There was an almost unnoticable shift and by May or June, each botnet slave only tried below ten account/password combinations:
80.154.37.149 (kreta649.myserver.t-online.de): 8 times
britney/keyboard-interactive/pam: 1 time
bryson/keyboard-interactive/pam: 1 time
gloria/keyboard-interactive/pam: 1 time
lawes/keyboard-interactive/pam: 1 time
layla/keyboard-interactive/pam: 1 time
nagios/keyboard-interactive/pam: 1 time
operator/keyboard-interactive/pam: 1 time
patrick/keyboard-interactive/pam: 1 time
80.161.109.35 (0x50a16d23.arcnxx13.adsl-dhcp.tele.dk): 7 times
adminadmin/keyboard-interactive/pam: 1 time
caolan/keyboard-interactive/pam: 1 time
carlton/keyboard-interactive/pam: 1 time
dnscache/keyboard-interactive/pam: 1 time
laurie/keyboard-interactive/pam: 1 time
law/keyboard-interactive/pam: 1 time
oracle/keyboard-interactive/pam: 1 time
80.166.213.254 (cpe.atm2-0-1271189.0x50a6d5fe.kd4nxx13.customer.tele.dk): 1 time
niki/keyboard-interactive/pam: 1 time
80.183.147.42 (host42-147-static.183-80-b.business.telecomitalia.it): 3 times
theodore/keyboard-interactive/pam: 1 time
ulysses/keyboard-interactive/pam: 1 time
uriah/keyboard-interactive/pam: 1 time
80.183.153.230 (host230-153-static.183-80-b.business.telecomitalia.it): 1 time
brittany/keyboard-interactive/pam: 1 time
80.190.243.167 (ipx11670.ipxserver.de): 1 time
(Logwatch from may, 2008)
Still some addresses that attempt more than one user/pw combination...

Now, my Logwatch looks like this:
Illegal users from:
24.21.122.21 (c-24-21-122-21.hsd1.wa.comcast.net): 1 time
admin/keyboard-interactive/pam: 1 time
41.207.199.95 (Adsl-41-207-199-95.aviso.ci): 2 times
log/keyboard-interactive/pam: 1 time
nikita/keyboard-interactive/pam: 1 time
58.77.117.97: 2 times
frank/keyboard-interactive/pam: 1 time
mary/keyboard-interactive/pam: 1 time
58.137.145.100: 1 time
admin/keyboard-interactive/pam: 1 time
58.181.129.115: 1 time
admin/keyboard-interactive/pam: 1 time
58.196.4.2: 2 times
kim/keyboard-interactive/pam: 1 time
patrick/keyboard-interactive/pam: 1 time
59.90.32.14: 1 time
admin/keyboard-interactive/pam: 1 time
61.135.234.7: 3 times
jerry/keyboard-interactive/pam: 1 time
joe/keyboard-interactive/pam: 1 time
kelly/keyboard-interactive/pam: 1 time
62.225.15.82: 1 time
joe/keyboard-interactive/pam: 1 time
64.183.133.194 (rrcs-64-183-133-194.west.biz.rr.com): 1 time
helen/keyboard-interactive/pam: 1 time
64.254.233.100 (devfw1.messagingarchitects.com): 2 times
admin/keyboard-interactive/pam: 2 times
65.113.227.26: 1 time
jenny/keyboard-interactive/pam: 1 time
66.189.40.144 (66-189-40-144.dhcp.oxfr.ma.charter.com): 1 time
web/keyboard-interactive/pam: 1 time
67.40.86.204: 1 time
richard/keyboard-interactive/pam: 1 time
69.217.30.214 (ppp-69-217-30-214.dsl.applwi.ameritech.net): 2 times
lee/keyboard-interactive/pam: 1 time
patricia/keyboard-interactive/pam: 1 time
(November, 2008)

Not one IP address made more than 2 attempts (my fail2ban threshold would have been 3, had it been turned on). Interesting shift. It seems that this has been seen by others to, see this entry in the Arbor blog.

The most efficient method is still a whitelist. However, if you are on a dynamic network at home (or work) and can’t predict your IP address, you are out of luck. We are shifting heavily towards VPN now - to mitigate exactly this problem.
Posted by Christopher Kunz at 15:24 | Comments (0) | Trackbacks (0)
Defined tags for this entry:
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA