ssd attacks; worm? and precautionary steps
This is a discussion on ssd attacks; worm? and precautionary steps within the Linux Security forums, part of the System Security and Security Related category; Hi, Many people are now aware of the sshd attackes that one gets on his/her linux box connected to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-21-2005
|
|||
|
|||
ssd attacks; worm? and precautionary steps
Hi,
Many people are now aware of the sshd attackes that one gets on his/her linux box connected to the internet and running an SSH server. I am wondering, is this just a script? Or a worm? Does the program responsible for these attacks have a name yet? One could write a brute force script that implements such an attack, but I wonder if the actual rogue script is availabe. I indend to run a lapton with a live linux CD, connect it on my home LAN and see if I can use that script to hack into it -- and also to check security on my other machines. So far, I have taken the following steps to prevent being compromised from these attacks: 1. In my ssh server, I do not allow root login remotely and allow only certain users to login via ssh. 2. I make sure that the users who are allowed ssh access have good passwords. 3. I have the following rules in my iptables script( where SSH_PORT=22, SSH_PORTS=1024:65535): #----------------------------------------------------------- if [ $SSH_SERVER -gt 0 ]; then #if any hosts are specified to be allowed access, give it here. for IPADDR in $SSH_ALLOW_CLIENTS; do echo "Allowing SSH access to host IP: $IPADDR" #allow only already established and related in $IPTABLES -A INPUT -i $EXTIF -p TCP \ -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \ -m state --state ESTABLISHED,RELATED -j ACCEPT #limit the rate at which new connects are allowed $IPTABLES -A INPUT -i $EXTIF -p TCP \ -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \ -m state --state NEW -m limit --limit 1/m --limit-burst 5 \ -j ACCEPT # drop the new connections that violate the rate limit above $IPTABLES -A INPUT -i $EXTIF -p TCP \ -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \ -m state --state NEW -j DROP done #allow OUT going SSH requests. $IPTABLES -A OUTPUT -o $EXTIF -p TCP ! --syn \ --sport $SSH_PORT --dport $SSH_PORTS -j ACCEPT fi #----------------------------------------------------------- I used to see many attempts in /var/log/syslog (on Debian Testing, 2.6.11 kernel). After the iptables limit rule implementation (based on the other thread about "Dictionary sshd attacks" in comp.os.linux.security), I got this today in my syslog file: #----------------------------------------------------- Aug 21 12:44:20 localhost sshd[19143]: Did not receive identification string from ::ffff:211.22.160.242 Aug 21 12:56:15 localhost sshd[19161]: reverse mapping checking getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE BREAKIN ATTEMPT! Aug 21 12:56:15 localhost sshd[19161]: User root not allowed because not listed in AllowUsers Aug 21 12:56:17 localhost sshd[19163]: Illegal user admin from ::ffff:211.22.160.242 Aug 21 12:56:17 localhost sshd[19163]: reverse mapping checking getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE BREAKIN ATTEMPT! Aug 21 12:56:20 localhost sshd[19165]: Illegal user test from ::ffff:211.22.160.242 Aug 21 12:56:20 localhost sshd[19165]: reverse mapping checking getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE BREAKIN ATTEMPT! Aug 21 12:56:22 localhost sshd[19167]: Illegal user guest from ::ffff:211.22.160.242 Aug 21 12:56:22 localhost sshd[19167]: reverse mapping checking getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE BREAKIN ATTEMPT! Aug 21 12:56:25 localhost sshd[19169]: Illegal user webmaster from ::ffff:211.22.160.242 Aug 21 12:56:25 localhost sshd[19169]: reverse mapping checking getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE BREAKIN ATTEMPT! #----------------------------------------------------- And after the last 5 attempts, the future packets were dropped: # iptables -nvL | grep -B2 -A2 'limit' 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:1024:65535 flags:!0x16/0x02 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state RELATED,ESTABLISHED 6 360 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW limit: avg 1/min burst 5 3 180 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 flags:!0x16/0x02 These preventive steps make me feel better. The limit rule in iptables gives added security since on one can just go on trying various passwords now. And my queries now are: 1. Does the rogue worm/script/program have a name? Where can I get it from? 2. I occasionally use my D-Link DI-604 router to connect to my ISP. Does anybody have any idea if that particular router is running an SSH server and is prone to such attacks (any defualt accounts with none or weak passwords)? regards, ->HS -- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam. 
|
|
08-21-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
H.S. wrote:
> Hi, > > Many people are now aware of the sshd attackes that one gets on his/her > linux box connected to the internet and running an SSH server. > > I am wondering, is this just a script? Or a worm? Does the program > responsible for these attacks have a name yet? One could write a brute > force script that implements such an attack, but I wonder if the actual > rogue script is availabe. I indend to run a lapton with a live linux CD, > connect it on my home LAN and see if I can use that script to hack into > it -- and also to check security on my other machines. > > So far, I have taken the following steps to prevent being compromised > from these attacks: > > 1. In my ssh server, I do not allow root login remotely and allow only > certain users to login via ssh. > > 2. I make sure that the users who are allowed ssh access have good > passwords. > > 3. I have the following rules in my iptables script( where SSH_PORT=22, > SSH_PORTS=1024:65535): > #----------------------------------------------------------- > if [ $SSH_SERVER -gt 0 ]; then > #if any hosts are specified to be allowed access, give it here. > for IPADDR in $SSH_ALLOW_CLIENTS; do > echo "Allowing SSH access to host IP: $IPADDR" > #allow only already established and related in > $IPTABLES -A INPUT -i $EXTIF -p TCP \ > -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > #limit the rate at which new connects are allowed > $IPTABLES -A INPUT -i $EXTIF -p TCP \ > -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \ > -m state --state NEW -m limit --limit 1/m --limit-burst 5 \ > -j ACCEPT > # drop the new connections that violate the rate limit above > $IPTABLES -A INPUT -i $EXTIF -p TCP \ > -s $IPADDR --sport $SSH_PORTS --dport $SSH_PORT \ > -m state --state NEW -j DROP > done > #allow OUT going SSH requests. > $IPTABLES -A OUTPUT -o $EXTIF -p TCP ! --syn \ > --sport $SSH_PORT --dport $SSH_PORTS -j ACCEPT > fi > #----------------------------------------------------------- > > I used to see many attempts in /var/log/syslog (on Debian Testing, > 2.6.11 kernel). After the iptables limit rule implementation (based on > the other thread about "Dictionary sshd attacks" in > comp.os.linux.security), I got this today in my syslog file: > #----------------------------------------------------- > Aug 21 12:44:20 localhost sshd[19143]: Did not receive identification > string from ::ffff:211.22.160.242 > Aug 21 12:56:15 localhost sshd[19161]: reverse mapping checking > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE > BREAKIN ATTEMPT! > Aug 21 12:56:15 localhost sshd[19161]: User root not allowed because not > listed in AllowUsers > Aug 21 12:56:17 localhost sshd[19163]: Illegal user admin from > ::ffff:211.22.160.242 > Aug 21 12:56:17 localhost sshd[19163]: reverse mapping checking > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE > BREAKIN ATTEMPT! > Aug 21 12:56:20 localhost sshd[19165]: Illegal user test from > ::ffff:211.22.160.242 > Aug 21 12:56:20 localhost sshd[19165]: reverse mapping checking > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE > BREAKIN ATTEMPT! > Aug 21 12:56:22 localhost sshd[19167]: Illegal user guest from > ::ffff:211.22.160.242 > Aug 21 12:56:22 localhost sshd[19167]: reverse mapping checking > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE > BREAKIN ATTEMPT! > Aug 21 12:56:25 localhost sshd[19169]: Illegal user webmaster from > ::ffff:211.22.160.242 > Aug 21 12:56:25 localhost sshd[19169]: reverse mapping checking > getaddrinfo for 211-22-160-242.hinet-ip.hinet.net failed - POSSIBLE > BREAKIN ATTEMPT! > #----------------------------------------------------- > > And after the last 5 attempts, the future packets were dropped: > # iptables -nvL | grep -B2 -A2 'limit' > 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:22 dpts:1024:65535 flags:!0x16/0x02 > 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state RELATED,ESTABLISHED > 6 360 ACCEPT tcp -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW limit: avg > 1/min burst 5 > 3 180 DROP tcp -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW > 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:21 dpts:1024:65535 flags:!0x16/0x02 > > > > These preventive steps make me feel better. The limit rule in iptables > gives added security since on one can just go on trying various > passwords now. > > And my queries now are: > 1. Does the rogue worm/script/program have a name? Where can I get it from? > 2. I occasionally use my D-Link DI-604 router to connect to my ISP. Does > anybody have any idea if that particular router is running an SSH server > and is prone to such attacks (any defualt accounts with none or weak > passwords)? > > regards, > ->HS > You may want to move SSH to another port instead of the default 22. I did this an have seen no ssh attacks since. Another good practice is to only allow public/private key access instead of passwords (if possible). Sorry I can't answer your two questions however.
|
|
08-22-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
Apparently, _H.S._, on 21/08/05 13:38,typed:
> I am wondering, is this just a script? Or a worm? Does the program > responsible for these attacks have a name yet? One could write a brute > force script that implements such an attack, but I wonder if the actual > rogue script is availabe. I indend to run a lapton with a live linux CD, > connect it on my home LAN and see if I can use that script to hack into > it -- and also to check security on my other machines. > <SNIP><SNIP> > > And my queries now are: > 1. Does the rogue worm/script/program have a name? Where can I get it from? er ... no response regarding the identity of the worm or script, or so it appears. Look like the ssh attacks are pretty common but no one has actually seen such a script? Either I am missing something quite obvious or this is very very odd. ->HS -- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam.
|
|
08-22-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
"H.S." <g_reate_xcalibur@yahoo.com> wrote in message
news:AiqOe.78448$Ph4.2467539@ursa-nb00s0.nbnet.nb.ca... > > And my queries now are: > > 1. Does the rogue worm/script/program have a name? Where can I get it from? > > er ... no response regarding the identity of the worm or script, or so > it appears. Look like the ssh attacks are pretty common but no one has > actually seen such a script? Either I am missing something quite obvious > or this is very very odd. Anybody with half a talent for scripting or programming can easily author such things. Nobody with half an intelligence would make such details public.
|
|
08-22-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
Apparently, _ynotssor_, on 22/08/05 16:14,typed:
> "H.S." <g_reate_xcalibur@yahoo.com> wrote in message > news:AiqOe.78448$Ph4.2467539@ursa-nb00s0.nbnet.nb.ca... > > >>>And my queries now are: >>>1. Does the rogue worm/script/program have a name? Where can I get it > > from? > >>er ... no response regarding the identity of the worm or script, or so >>it appears. Look like the ssh attacks are pretty common but no one has >>actually seen such a script? Either I am missing something quite obvious >> or this is very very odd. > > > Anybody with half a talent for scripting or programming can easily author > such things. Nobody with half an intelligence would make such details > public. > Well, I know it was not going to be that easy. But similar to how other rogue programs are got hold of and made public, I was thinking perhaps it is the case here too. If I am not grossly wrong, the ssh/sshd attacks all originate from compromised Linux or Unix machines. So you are saying that no one, absolutely no one, has been able to discover the script in their compromised machines and reported it? The script comes with a database or list of usernames and passwords. Clearly if the script has been authored by someone with "half a talent for scripting", how come admins with greater talent haven't found it out (at least it's name or some of it's salient features)? And if no one knows about the script, how come we are assuming that it tries usernames and passwords and not something advanced that targets sshd or Linux kernel weaknesses? -- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam.
|
|
08-22-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
H.S. wrote:
> Apparently, _ynotssor_, on 22/08/05 16:14,typed: > >>"H.S." <g_reate_xcalibur@yahoo.com> wrote in message >>news:AiqOe.78448$Ph4.2467539@ursa-nb00s0.nbnet.nb.ca... >> >> >> >>>>And my queries now are: >>>>1. Does the rogue worm/script/program have a name? Where can I get it >> >>from? >> >> >>>er ... no response regarding the identity of the worm or script, or so >>>it appears. Look like the ssh attacks are pretty common but no one has >>>actually seen such a script? Either I am missing something quite obvious >>>or this is very very odd. >> >> >>Anybody with half a talent for scripting or programming can easily author >>such things. Nobody with half an intelligence would make such details >>public. >> > > > Well, I know it was not going to be that easy. But similar to how other > rogue programs are got hold of and made public, I was thinking perhaps > it is the case here too. > > If I am not grossly wrong, the ssh/sshd attacks all originate from > compromised Linux or Unix machines. So you are saying that no one, > absolutely no one, has been able to discover the script in their > compromised machines and reported it? The script comes with a database > or list of usernames and passwords. Clearly if the script has been > authored by someone with "half a talent for scripting", how come admins > with greater talent haven't found it out (at least it's name or some of > it's salient features)? And if no one knows about the script, how come > we are assuming that it tries usernames and passwords and not something > advanced that targets sshd or Linux kernel weaknesses? > I had one of these ssh scrip-worms on one of my machines. The one I had was a worm. It didn't get very far is it only got into a users account that had no other privilege. I found the pieces left in /tmp. There were about 10 files that had been downloaded all scripts (bash, and perl). The worm tried to see if it had root privileges and when it didn't it bailed. At the time I looked around and I think I found information about the exploit at one of the AV sites. The worm got into my box via a user account "alan" that had a password of "alan". I changed my policy to assign users a password and not let them change it. I also restricted the users who could log into my machine and only allow public/private key authentication now. I had already restricted the use of ssh to a small group that "alan" was not a member of so the worm couldn't use ssh to try to find other targets. Since then I have also moved sshd to another port and that has stopped the probing all together (so far, though a port scan that identifies sshd on other ports is surely possible). The worm package had a file that was its dictionary and a file that had subnet ranges to explore. It was not a trivia script but it was not really very sophisticated either. It had obviously been patched together using several different exploit pieces to make one.
|
|
08-23-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
Apparently, _Barton L. Phillips_, on 22/08/05 17:29,typed:
> I had one of these ssh scrip-worms on one of my machines. The one I had > was a worm. It didn't get very far is it only got into a users account > that had no other privilege. I found the pieces left in /tmp. There were > about 10 files that had been downloaded all scripts (bash, and perl). > The worm tried to see if it had root privileges and when it didn't it > bailed. At the time I looked around and I think I found information > about the exploit at one of the AV sites. > > The worm got into my box via a user account "alan" that had a password > of "alan". I changed my policy to assign users a password and not let > them change it. I also restricted the users who could log into my > machine and only allow public/private key authentication now. I had > already restricted the use of ssh to a small group that "alan" was not a > member of so the worm couldn't use ssh to try to find other targets. > Since then I have also moved sshd to another port and that has stopped > the probing all together (so far, though a port scan that identifies > sshd on other ports is surely possible). > > The worm package had a file that was its dictionary and a file that had > subnet ranges to explore. It was not a trivia script but it was not > really very sophisticated either. It had obviously been patched together > using several different exploit pieces to make one. Thanks for the info. A little more serious search coughed up sshf binary that was reported on Full Disclosure and is also mentioned on Gentoo website. That particular script, it appears is not intelligent at all. ->HS -- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam.
|
|
08-23-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
On Mon, 22 Aug 2005 20:33:31 GMT, "H.S." <g_reate_xcalibur@yahoo.com> wrote:
>or list of usernames and passwords. Clearly if the script has been >authored by someone with "half a talent for scripting", how come admins >with greater talent haven't found it out (at least it's name or some of >it's salient features)? And if no one knows about the script, how come >we are assuming that it tries usernames and passwords and not something >advanced that targets sshd or Linux kernel weaknesses? You miss the point entirely, unix is not windows, scripts do not have a particular name, and they're not virus. One would need to ask why have port 22 open at all for public connections? If you adminning a machine remotely you may choose a non-standard port and strong authentication. You may put firewall rules in to allow ssh only from known hosts (I do this as I have a unix account elsewhere). You may also limit connection rate to average something like 4/hour. (per user, perhaps). The point is, detection _after_ violation is too late, and there are easier ways to break a machine. As far as lists go, a modern unix box is likely to have several dictionaries installed, plus wordlists a prudent admin will use to validate her users' have reasonably strong passwords. Cheers, Grant.
|
|
08-23-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
Apparently, _Grant_, on 22/08/05 18:50,typed:
> You miss the point entirely, unix is not windows, scripts do not I am well aware of the fact thank you. > have a particular name, and they're not virus. One would need to Perhaps they don't have particular names (btw, which quite possible in Windows world too). But advisories usually mentioned such scripts/worms/bots/virii or what you have by some noun or by description of their behaviour. That was the import of my question. > ask why have port 22 open at all for public connections? If you For the time being, I cannot move the ssh to another port. Moreover, from a Gentoo website, I have realized it is not difficult at all to test what other ports sshd is listening on. Obscuring the ssh port may decrease the hits or avoid them for a while, but it is not a very strong defence mechanism. > adminning a machine remotely you may choose a non-standard port and > strong authentication. You may put firewall rules in to allow > ssh only from known hosts (I do this as I have a unix account > elsewhere). You may also limit connection rate to average something > like 4/hour. (per user, perhaps). Looks like you haven't read my first message in this thread. > > The point is, detection _after_ violation is too late, and there > are easier ways to break a machine. > > As far as lists go, a modern unix box is likely to have several > dictionaries installed, plus wordlists a prudent admin will use to > validate her users' have reasonably strong passwords. Right. > Cheers, > Grant. regards, ->HS -- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam.
|
|
08-23-2005
|
|||
|
|||
|
Re: ssd attacks; worm? and precautionary steps
On 2005-08-22, H.S. wrote: > Thanks for the info. A little more serious search coughed up sshf binary > that was reported on Full Disclosure and is also mentioned on Gentoo > website. That particular script, it appears is not intelligent at all. Be careful with those binaries, almost all that I've seen are infected with Linux viruses RST and OSF. I've been following this for awhile, since it started in great mass, a little before the site you refer to posted about it. The worst one I had was 12 minutes long, but I've always had really long complex passwords so they didn't get jack. (I did however report the bastard and got his account closed, his ISP confirmed it after I sent in the full 12 minutes worth of logged attempts). I've posted here about it before, so I won't rehash what I already said too much, but basically what you're seeing are amateur script kiddies using one of several programs to bruteforce weak passwords. There are a few scripts that are semi-automated (making them worms, I guess you could say) like the other poster said, but these are pretty rare to find. Almost always it's a human hacker, attacking from the last machine they took over in the same way. A few start out from home (the real dumb ones) and those you can complain about and get shutdown. Once they do get into a site, they use that for their next attacks, usually installing rootkits along with it. Most of the ready-made binaries you find are virus-infected. I have both samples of these and also the C sources for the programs they use, but I don't think it's wise to post them here. Besides, they're not hard to find if you look. I did the following and don't worry about ssh attacks anymore: -public key auth. only. Protocol 2 only. -moved sshd off port 22 (it's not got hit once, since then) -dropped all traffic from places like Hinet.net, Kornet.net, all of Korea and all of China. These were by and large the biggest source of attackers, and worse, they didn't give a rat's ass if you reported to them that someone was attacking you. They just don't care about anyone else and that's the main reason that I permanently blocked them. -used tcpwrappers to deny some places I know users will never be logging in from -use AllowUsers and DenyUsers in sshd_config to limit who can ssh -no root, ever -left this rule for anyone still wanting to probe my (old) ssh port: iptables -A INPUT -i ppp0 -p tcp --dport 22 -j TARPIT I don't know any distros that include the TARPIT extension, but you can get that (and alot of other cool iptables add-on's) by building your own kernel patched with the patch-o-matic from http://www.netfilter.org/ or ftp://ftp.netfilter.org/ sites. The iprange match module comes in handy, in particular. The good news is they are getting to be less and less down from about a year's worth of attacks at a sickening rate. I made a reporting script that prints the attackers out each night, and that list is getting smaller and smaller, at least in my corner of the 'Net. -- I still want to know what dim bulb thought that UPnP was a good idea. I mean, c'mon. A defined API so malware can send a "Pants Down!" command to the firewall? What were they *thinking*? -Valdis Kletniek
|
Linear Mode
