SSH login password guesses
Hi there, we already had a small thread about this topic but only for some log entries and not the problem itself ;) As we probably all noticed there're a bunch of ssh connects every day which try to login as root, test, user, admin, guest and maybe others. Now i saw a scan with more then 5000 attempts to login to serval servers. I read a lot about this topic now but noone really knows whats going on. So i try to sum up the information i got, maybe you know a littlebit more than i or just have the same "problem" and want to know more about it ;) First of all, it seems that there multiple tools or scripts out trying these logins. The simplest one only try root:root and guest:guest as login. Later on a few more usernames where added: guest, test, user, admin (and maybe others). After that someone seems to add some dictionary support to the tools. Now it tries many passwords for the root user (no pass guesses for the other ones so far). If some box has such a weak/guessable password, some of the "crackers" installed stuff like rootkits (e.g. suckit) or DDoS flood scripts/IRC Bots and other "bad" stuff. Today we found such a server in our network. The password wasn't changed by the customer so it was guessable. But unlike other reports no rootkit etc. was installed. All we found was some "uname -r" that was done. Maybe because of a very recent kernel and some other stuff they didn't like this box very much. A few analyses had been done yet: http://dev.gentoo.org/~krispykringle/sshnotes.txt http://lists.netsys.com/pipermail/full-disclosure/2004-August/025330.html http://isc.sans.org/diary.php?date=2004-07-28 and many other postings on the well known lists like dev-shed, full-disclosure, bugtraq etc. Most of the attackers seem not to be very skilled like you'll see in some postings: they leaved bash_history files and did other stuff you'll notice if you take a closer look to your box. For ppl who want to protect themselves against such attacks: - disable rootlogin (PermitRootLogin no in sshd_config) - use secure passwords - maybe just use ssh keys - don't use guessable accounts - put sshd on a different port then 22 (will only help for such "normal" scans, not if someone want to break *your* box.) - use features like hosts.allow/deny or iptables to allow ssh just for a couple of hosts (maybe isn't useable for ppl with nonstatic ips, but you still can limit ssh access to your isp, or use a vpn ;) Hope i didn't forget anything. If someone knows more about this topic, please let us know ;) Regards, Sven
I think there is a message for SuSE in these ssh attacks: personally I think it is a bad thing that the out-of-the box sshd_config allows root logins. I believe a good principle to follow is: (1) no network service should run unless the administrator has explicitly enabled it (2) even when a network service is enabled the default configuration should not allow root access If I remember right SuSE now follow the first rule with sshd but not the second. Nearly everyone on this list will be capable of getting this right for themselves, but we have to remember the vast majority of users are not so knowledgeable and need some protection. Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
participants (2)
-
Bob Vickers
-
Sven 'Darkman' Michels