Sysadmins have begun noticing a coordinated attack on servers with open SSH ports that tries to stay under the radar by only attempting to guess a password three times from any compromised machine. Instead of mounting an attack form a single compromised host, hackers have worked out a means to relay a brute force attack between …
Nothing new, really
I've been observing my logs every morning since 2004, and I've seen this pattern occur as well, getting more common since last year: multiple usernames and daemons are knocked with a hope of an easy/non-existing password and then moving on or dropping attempts.
Other trick has been "obvious" usernames (which doesn't work so well since I live in a place where English-based names do not rule the roost; however, I've seen attacks tailored for the area as well, so the script-kiddies are definitely getting smarter and more aware of other cultures around them).
I've tried in a couple of cases to e-mail the owners of the attacking server (when it doesn't seem to originate from a non-dynamic address; solving who owns what dynamic address is a royal pain in the butt), but I've never gotten a reply back -- not even a nod of 'thanks for noticing'. Maybe the mail systems of the hijacked server are set to automatically filter and kill mails from the attacked systems? (If I were a blackhat, that's what I'd do...)
I regularly get attempts to hack into my SSH server. Usually from things like Asterisk boxes with default passwords. I did notice a bit of an increase recently, couldn't say when though.
Anyway, should the world consider using randomized default passwords? I'm sure it would all but end this kind of attack.
Any decent security admin would
use a firewall to block all SSH access except from designated,authorised IP addresses. Leaving it open might be convienant but that is not really secure is it?
See, if you used Microsoft, you wouldn't have a SSH server problem would you ?
This is impossible
"...a small bank of dedicated Linux servers he manages. After falling victim to a hacking attack a few months back..."
Urr, am I missing something here? Linux? Hacked? Surely that is a contradiction in terms.
After all, all those forums posts claiming 'It wouldn't have happened if you'd used Linux (snigger)' can't be wrong can they?
...should be in /etc/ssh/sshd_config on any SSH server which has an internet connection.
""After all, all those forums posts claiming 'It wouldn't have happened if you'd used Linux (snigger)' can't be wrong can they?""
Of course it is possible, guess a username/password and you can get in. Just as if you leave your front door key under the mat it does not matter how good a lock you have.
You misunderstand why Linux is more secure than M$ systems, but that does not mean that it is absolutely secure.
Strong evidence that complex passwords are a major security hole
The more complex a password the more likely a user or admin is to leave them left lying around.
Sure you may be some uber geek who can remember 120 complex 15 digit random passwords for breakfast but back in the real world :)
I realise you probably won't read this, as your comment means you basically can't have read any arguments as to why Linux is generally considered more secure, but occasionally these things are just annoying enough to answer.
Firstly, please point at the authoritative person/website who says that Linux is "unhackable". OK, good, no-one with any clue would ever actually say that. So it is possible to hack Linux, and your "point" is rendered null and void.
Secondly, take the time to look at how *easy* it is to hack Linux compared to Windows. Hint: it's generally a lot harder. This doesn't mean that attacks can't get through, it just means they have to be much more sophisticated, or brute force (case in point: the method the attack the article's describing uses).
Thirdly, have a look at how long it takes patches to come out for Linux vs Windows. Generally any Linux vulnerability is only there for a short amount of time, for systems which are fully patched.
If someone says "it wouldn't have happened if you'd used Linux", they may well be right, and right lots and lots of times (once for each of Windows' many, many monotarget and software combination vulnerabilities) but they are never saying that Linux is unhackable. Linux can be (and is) far and away more secure than Windows without being 100% secure. And that's possibly the biggest indictment of Windows' security of all.
Use keys not passwords and run SSH on non default port ..
.. in addition to not permitting root logins obviously 8-)
There is really no need for login passwords on SSH anymore, so turn off normal password authentication and only use RSA keys.
why it has taken them so long to get this going? Is it a case of incrememental evolution in malware, as in only bringing in what they need to at this particular time to get around security software? Or did it genuinely take them this long to spot this vulnerability? Or, worse case scenario, has it been in use for a long, long time by one of those coders/hackers with a genuine flair for coding, and the intelligence to author their own rather than a skiddie buying someone elses code?
I don't like any of these scenarios myself...
It's like the coca trade, it used to be fun back in the day (mid to late 70's) before the amounts of money involved enticed the organised crime gangs into the business, and the good ol' US of A declared it's "war on drugs" which did more to promote their use than anything the actual dealers could ever have thought of, let alone been able to implement.
Hacking used to be fun, and about the challenge and your own abilities. Now it's for money, and is rapidly becoming the tool of choice for gangs (particularly, it seems, from Eastern Europe and the Former Soviet Bloc, with China catching on at an exponential rate), simultaneously being utilised more and more by the (in)security forces of the world.
Re: Any decent security admin would
What are you talking about, you idiot?
Sorry customers, you can only log on from preregistered IP addresses. What do you mean you've got a dynamic IP? You use different clients depending where you're working? These aren't my problems, but please keep paying anyway.
Anyone with a basic knowledge of security knows not to rely on a single layer of protection. Handy as DenyHosts is, it won't protect you completely. For ssh on my internet exposed linux server I:
1)run on a non-standard port
2)run DenyHosts, with blacklist sharing
3)run PortSentry on the standard ssh port (and many others)
4)Disable ssh login for all but one user that is completely unprivileged and with a non-standard user name.
That's in addition to security measures that don't relate directly to ssh protection.
RE : Strong evidence that complex passwords are a major security hole
Bollocks. And utterly irrelevant bollocks at that. Since the attacks in question rely on remote attempts to guess obvious login/password tuples, they provide no evidence whatsoever regarding the risk analysis of complex password usage.
Using complex passwords and writing them down shifts the majority of risk from remote to local actors. How often do you lose your wallet, watch, mobile phone or other important physical object that you habitually carry around with you ? Not all that often.
A complex password written down on a piece of paper in your wallet offers far higher security against remote actors than a simple one, and as for local actors, it's as safe from them as the other contents of your wallet*
Even if people do leave such passwords lying around, the threat remains local, and would be the same for any security token or any kind of password. In this case the problem is not the token, but the careless attitude of the user.
If you honestly believe that simple passwords which are not written down anywhere provide better security, then you have obviously never spent any time playing with an encrypted password file and a dictionary attack tool.
*And of course, you write them down twice and stash the back up copy in your lock box at home, the same as you keep a list of your credit card numbers in case your wallet is stolen so that you can cancel them as soon as you realise you are no longer in possession. And only keep (e.g) your online banking ones at home in the lock box, so as not to compromise them if your wallet goes on holiday without you.
See, it's quite easy to mange the risk.
You appear to have missed the source of the attacks: "......a botnet network of compromised Linux boxes."
I just love some of the comments here on this. Funny that when a Windoze box is left configured with its knickers down and gets screwed it's M$s fault, but when a Linux box is left configured with its knickers down and gets screwed it's the admin's fault.
How Bill must wish his sheep could get away with that excuse.
Flames, because I'm expecting them.
Thank you for your kind replies
I have no interest in security of any OS. Couldn't given a tuppence. I'm a blind and dumb user. So there. I merely get annoyed at self-righteousness, which is an ugly trait and should be beaten out of people. It is something many of the linux posters on "Non-linux bad security threads" seem to have in abundance.....
Re: Any decent security admin would
As I mentioned above, most of the attacks on my server come from things like Asterisk servers. Not every place that has an Asterisk server has a "decent security admin" in fact I'd say most don't even know what one is.
If Linux is going to go mainstream it needs to cater for this type of user or attacks like this will only increase.
what i dont understand
what sort of idiot looks after a server ANY server for that matter and has to worry about any kind of dictionary/brute force attempt.
Why are you not using strong password? passwords for my servers are 30+ chars long chances of those being brute forced by any botnet with the next 5 years are pretty slim.
Much better off...
You're much better off using key based authentication, its seamless, easier to use, and much more secure.
PermitRootLogin should be off too,
Why leave the port open?
I never understood why people leave the ssh port open. Close it, and implement knock, or something stronger.
If you have NO ssh ports open, you will get NO brute force attacks.
I got tired of checking my logs for brute force attacks. Now they are zero. I can get in with a simple knock, and ssh into a non-standard port.