Skip to main content

View Diary: SoapBlox Press Release on Yesterday's Event (168 comments)

Comment Preferences

  •  Botnet SSH attacks on the rise (7+ / 0-)

    Everyone responsible for a server should take serious note of this. Within the last few months, the number of SSH "brute force" or "dictionary" attacks has skyrocketed.

    I don't know if this is necessarily the cause of the Soapblox outage, but I see it as a very high probability based on what has been reported. My apologies to the Soapblox folks if they were actually on top of this issue, but most of the otherwise reasonably locked-down machines I see aren't hardened against this vector.

    FYI, this attack basically takes the form of a foreign machine repeatedly trying to login as root through SSH, guessing a different password every time. Without additional measures in place, a single attacker can try multiple passwords per second indefinitely, and a dozen (or more) can cover a large part of the weak password space.

    I run several servers, and I am hit daily by about a dozen different attackers, per server, executing this attack plan. The sources of the attacks are different all the time, indicating a large network of attackers- ie. a botnet of compromised hosts.

    I have an automated system that detects brute force attacks and dynamically blocks the attacker's IP address at my firewall. Initially, the block is temporary, but repeated offenses will create a permanent block. Before I did this, my logs would fill up with many thousands of individual attacks per hour- now only a few dozen per day get through.

    You might also want to disable SSH login for root, and instead use the 'sudo' program obtain root access once logged in as an authorized regular user.

    If you are running a system that provides SSH access for root, and do not have such an intrusion detection system, this attack WILL EVENTUALLY SUCCEED against a weak password, and your server will get "PWND"- ie. will become part of the botnet. It is just a matter of time.

    So make sure you have a secure password, but that is only one line of defense. See. http://www.wired.com/...

    •  Looking for info... (1+ / 0-)
      Recommended by:
      JRandomPoster

      You say you've got a dynamic blocker - is it low overhead?  Running Snort + SnortSam or Guardian is a bit hefty for these boxes, but I'd love to drop these scripts into network Limbo efficiently.  When I see them on my home system, I add an IPTables line to drop the third stage of the TCP handshake; it not only protects my system but it also locks up the ssh scanner...  I'd love to do that automatically.

      Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves. - William Pitt

      by Phoenix Rising on Thu Jan 08, 2009 at 12:29:08 PM PST

      [ Parent ]

      •  Try daemonshield as a starting point (2+ / 0-)
        Recommended by:
        Phoenix Rising, JRandomPoster

        I do some custom stuff, but this is a good start.

        http://daemonshield.sourceforge.net/

        It runs as a sysvinit style service. It scans logs for attack messages and manages an iptables block list.

        FYI, this is not the friendliest tool in the world to get working reliably, but it does the trick. It's very lightweight, but you need to know how to build source packages, and dig into the source, config, and debugging output to understand and work around / avoid situations that make it stop running, like mail notification failures, etc.

        •  Thanks (0+ / 0-)

          That's a good starting point, and a lot lighter-weight than a full-on IPS like Snort.  A lot less flexible, but just as effective at what it does.

          Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves. - William Pitt

          by Phoenix Rising on Thu Jan 08, 2009 at 02:12:32 PM PST

          [ Parent ]

    •  Some more on the newer SSH botnet scans (1+ / 0-)
      Recommended by:
      JRandomPoster

      They're starting to get into much more complex passwords now.  The lists I've seen on the latest versions aren't limiting themselves to common and weak passwords.

      Some of the lists include very random passwords that I'm guessing are designed to resolve to different MD5 password hashes rather than matching the passwords themselves.  At this rate, passwords are going to have to be stored in multiple hash formats to keep them safe.

      Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves. - William Pitt

      by Phoenix Rising on Thu Jan 08, 2009 at 12:33:13 PM PST

      [ Parent ]

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site