Brute-force SSH Attacks on the Rise

Published: 2008-05-12
Last Updated: 2008-05-13 10:27:43 UTC
by Scott Fendley (Version: 3)
0 comment(s)

Greetings everyone.  Just a bit of a reminder that many colleges and universities are done for the spring semester, and the K12s are right around the corner.  As most of you already realize, this means that a number of very intelligent kids and young adults are soon to have far more free time on their hands (and less adult supervision during the normal working hours for their parents).  So I expect that there will be a bit of an increase of attacks and other general noise from outside of corporate or campus network as we have observed in prior years.

In that frame of mind, there has been a significant amount of brute force scanning reported by some of our readers and on other mailing lists.  And there does appear to be a bit of a spike reflected in the port 22/tcp sources in the past week in the Dshield data.

Jim Owens and Jeanna Matthews of Clarkson University released a paper which investigates current methods and dictionaries used by attackers of SSH in the past several months.  The paper shows some evaluations of common techniques used to defend against brute force attacks that are worth reading to some.

From the most recent reports I have seen, the attackers have been using either ‘low and slow’ style attacks to avoid locking out accounts and/or being detected by IDS/IPS systems.  Some attackers seem to be using botnets to do a distributed style attack which also is not likely to exceed thresholds common on the network.

So be warned that there does appear to be a bit more activity involving SSH and weak or otherwise guessable passwords.  This would be a great time to do some investigation on your local network to see what servers have SSH open to the world on the default port, and may need to have its security posture reassessed.  You might want to try using a few of the techniques discussed in the paper by Owens and Matthews such as

  • Using the host based security tools of DenyHosts, fail2ban, or BlockHosts in conjunction with TCP-Wrappers to block access to servers across your organization.
  • Disable direct access to the root account.
  • Avoid using easily guessed user names such as only a first name or a last name.  (Side Note: Academia will need to look into the age old policy of publishing an online directory of account holders before this one will have much of an effect.)
  • Enforce strong passwords or use public key authentication in place of passwords (multi-factor or public key is the preferred method especially for systems which contain sensitive data) .
  • Generally reduce the number of publicly accessible services through iptables or similar host based security measures in addition to network firewalls.  (think defense in depth.)

You might note that there is one defense technique that was not even mentioned in the paper, or was not recommended by me.  That technique is to lock accounts after X number of failed login attempts.  As I work in a similar environment as the authors, I can tell you that this technique has numerous issues when working with academia.  First and foremost, the potential for creating a denial of service issue must be weighed against the potential of attackers guessing the right password before IT Security notices.  The likelyhood of having a student take out their frustration for a non-IT related issue on a professor or an ex-boyfriend or girlfriend is actually very significant.  Additionally, having a single sign-on infrastructure used from Web Applications, Unix based apps and interface, and windows based services mean you have to do significant synchronization of information to make this technique effective against distributed and/or slow attacks.    Your mileage for using this  technique may vary and could be more valid in your environment.

Thanks to all of the readers who have already sent in their observations to us today.  :-)

Update 1:
One of our handlers, Jim, pointed me to the DenyHost stat site located at http://stats.denyhosts.net/stats.html.  As already mentioned, this does appear to be a significant new trend of which we all should be aware.

Another one of our readers sometimes gives advice/consults for an organization which today was having problems with a server denying access to anyone attempting to connect. The reason was that Sshd was denying all connections due to too many failed login attempts.  It was recommended that internal servers could use the default port, but external facing hosts which have a need for ssh should use a non-standard high port.  Yes, itt is a form of security by obscurity, but it does defeat brain-dead brute force attacks.

Keywords: bruteforce ssh
0 comment(s)

Adobe Releases Security Bulletin

Published: 2008-05-12
Last Updated: 2008-05-13 00:04:19 UTC
by Scott Fendley (Version: 2)
0 comment(s)

Last week, Adobe released a security bulletin concerning updates that should be deployed as a part of your normal patch procedures earlier this year.  The updates available at Adobe.com address vulnerabilities which could cause Adobe Reader or Acrobat applications to crash or even allow an attacker to take control of the affected system.   More details about this set of updates is available at http://www.adobe.com/support/security/bulletins/apsb08-13.html.

If you haven't already done so, I recommend that this update be added into the mix of testing and deployment along with the Windows Updates to be released on Tuesday.  MacOSX users should also update to either Acrobat 7.1.0 or version 8.1.2 at the earliest convenience as well.

Keywords: Adobe
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives