Server-based botnet floods net with brutish SSH attacks
A server-based botnet that preys on insecure websites is flooding the net with attacks that attempt to guess the login credentials for secure shells protecting Linux boxes, routers, and other network devices. According to multiple security blogs, the bot compromises websites running outdated versions of phpMyAdmin. By …
Oops, now I feel bad about attacking one of the servers that was trying to ssh into one of my servers. At least whoever owns the server isn't using a default password on their admin console anymore :) but unfortunately for them they just don't know what I changed it to! bwhahahah
OK so that's what helps. I have a older denyhosts-like script that doesn't use distributed blacklists, and that is now entirely ineffective -- instead of getting one attack after another from the same IP, I only get a few hits per IP, so I'm not sure it's triggering blocks at all. Luckily I don't have stupid passwords.
Much easier to work with keys and certificates. Though I guess they do open a single of failure if the passphrase is cracked.
Forgotten passphrases occur more often. You have to re-create keys and re-distribute them once you've shot the offender through the knee.
And then, there are those colleagues who store passphrases in their keyrings...
The passphrase is only to protect the private key. It has nothing to do with the communication with the host that has the public key. Think of it as a little key that lets you get to the big key (hence idiots or the uninformed can have passphraseless keys). They would need to have your private key for the passphrase to be any use to them.
These attacks have been going on for ages. Even though I only use keys and have password access disabled, I still use fail2ban on FreeBSD to block after 3 failed attempts cos I'm fed up with huge logs. I get about 2-3 unique attempts to each of my hosts every day. This figure hasn't really changed much recently.
Floods of requests for admin.php, setup.php etc. on our Windows web server undeterred by HTTP headers which include "Server: Microsoft-IIS/6.0"
Many are coming from Chinese or Korean IP addresses with a faked user agent of "Mozilla/5.0" or simply random strings.
Overall the worst thing about these vulnerability scanners is they are written so p*ss poorly they can turn into de facto DOS attacks unless measures are in place. Even big sites come unstuck on this.
No one should be running phpMyAdmin, on anything at all, if you ask me. What's the point of trying to secure your website, if you clag on this other website that has root access to your database onto it, simply to administer it?
You don't need to be some commandline lover: just stunnel 3306 to 22.
I started seeing a massive spike in distributed SSH brute-force attacks about 6 weeks ago. I use Fail2Ban - similar to DenyHosts - to ban an IP using iptables after 3 failed login attempts. For several days I was banning one address every 3-4 minutes,
Eventually I took the very simple advice of moving my ssh service to an obscure port. I still get the odd ban, but more like 2 a week now.
... you can use knockd to secure the SSH service. OpenVPN is better though.
but the attacks are annoying and fill up my logs :(
As Henry Wertz already said, blocking IP numbers after some failed attempts doesn't work with this type of attack.
never the same IP address twice so no point in blocking them. User agent Mozilla/5.0 as mentioned. I don't have phpmyadmin installed, or any other software for server administration, so apache is returning a 404. I use Vi and edit config files directly. The less installed on a server the less the attack surface, the less the chance of compromise.
In fact my ssh login password is so complicated that I keep forgetting it. So complicated that I put it on my login banner, no more failed login attempts ;-)
I see what you are trying to do here. However, I don't use a dictionary word or real name for my login account and my password isn't really on my login banner. That was just a lame attempt at humour, but I guess you knew that.
Besides shh is not on the standard port, is not exposed beyond my LAN and is only accessible via one private IP address.
Yes I am paranoid, or very careful.
i would get random IP spoof attacks trying to figure out where my phpmyadmin install was on my server. So I wrote a drupal plugin that intercepted the url request and forwarded the attack off to the FBI tips website. My guess is they thought they had hit the jack pot only to figure out they were being reported, I haven't seen an attack since then.
...
The problem with ssh is that you can't require a key and password. You can password protect a key but that isn't the same has having the remote end verify the a password too.
Close SSH completely and require the use of OpenVPN to be able connect to SSH.
?? There's every point in blocking them - they're compromised machines.
Block them, add the IP to a distributed list so everyone else blocks it, then fire off an automated email to the abuse contact telling them to clean up their network.
If only we could justify blocking the entire Korean/Chines/Russian netblocks to make life easier ;)
I see attacks from all over the world, China, Mexico, Amsterdam, France etc etc. Perhaps we should just ban bloody foreigners
Let's boot all these bloody foreigners off of Our Net. I say we start with those bastards on the island, whatsitsname, Britain or somesuch.
"The problem with ssh is that you can't require a key and password."
uhhhh, really? From "man sshd2_config"
AllowedAuthentications
This keyword specifies the authentication methods that are allowed. Known authentication methods are: keyboard-interactive, password, publickey, pam-1@ssh.com, kerberos-ssh.com, kerberos-tgt-2@ssh.com, and securid-1@ssh.com. The default is "publickey,password".
(snip)
With RequiredAuthentications, the system administrator can force the users to complete several authentications before they are considered authenticated. See RequiredAuthentications.
(one, two, skip a few...)
RequiredAuthentications
Analogon to AllowedAuthentications, with one dif-ferenece: the authentication methods listed here must all succeed before a user is considered authenticated. Leaving this list empty is equivalent to not using the option at all. If this option is set, AllowedAuthentications is ignored.
Paris, man woman. No manual entry for woman.
Too bad RequiredAuthentications hasn't found its way into Theo's camp yet.
There are plenty of 'sploits for IIS. The perps might've wanted to give it a rest for a while and let the other side have a bit of fun too.
I get an email every time Denyhosts on one of the 4 machines on different networks which I administrate using SSH locks out a password-guessing attacker. Seems to be about a dozen a day between these 5 machines, 3 of which are servers on 24x7, the other 2 are desktops only on when their users are online. Most of the hosts denied are from the distributed database shared with other Denyhosts users, but the rate of a dozen a day new attackers which my machines are identifying themselves doesn't seem to have varied very much.
As to keys and passwords, I use strong enough SSH passwords to handle the amount of guessing which occurs before a host gets locked out and the number of attacking hosts logged, assuming the attackers are coordinating password guesses. Keeping keys online would be less secure, and having keys kept offline e.g. on a USB stick, would be too much hassle, and I'd probably not have a copy in the very unlikely event of one of my servers going down and I get an SMS to that effect while away on holiday.
Since the SSH scans are AFAIK on port 22 it is a good idea to reconfigure your ssh server hosts to use a non-standard port. This is of course in addition to using public key based authentication. You must disable ssh password auth too. I've always done this on all my 'net facing ssh servers and I just don't get these probe attempts. Note: if you use an SSH key agent that forwards to an untrusted ssh server it means that other user's on that untrusted host can potentially use your ssh key without your knowledge so make sure you don't turn on ssh key forwarding to all hosts...
@Jon Thompson 1 Here's an example of a list to knock down traffic from Asia, Russia, Africa and a few other places. http://www.wizcrafts.net/chinese-blocklist.html There are larger lists elsewhere, I just can't find the link at the moment. I deploy the list in my .htaccess file for my hosted website, since such hosts are targets. After deploying this list and some bot blockers, my site saw 25% less traffic, and my site became much more available and performant. The case flow looks like this: "if from China, sod off, if not from China are you a bot, if so, sod off". My forum spam dropped from 4 or 5 daily to 1 per week.
@IIStards You can install mysql, php and phpmyadmin in IIS. I have, and now I don't any more.
Really, to stop these attacks being a nuisance in your logs and/or triggering any self-protection mechanisms it's the easiest thing in the world to change the port SSH is listening on, if you will have it externally visible. Go and do it now.
And the drop in sources; assuming this is the same lame bunch of skiddies who I went and taunted for a bit of sport on their command and control IRC server, they've removed any semblence of sleep (even when idle!) from the bot they're installing (OMG IT GOES FASTER THEN), so it sits there chewing 100% of a cpu core 24x7 which is pretty obvious - particularly when it's masquerading as a process you don't even run on your server.
For boring complicated reasons, my server doesn't do MySQL correctly. At least, for me. So I wrote all my own blog software from scratch using a flat file system. It is nowhere near as sexy as some of the pre-packaged stuff, but it is funtional and it has - as far as I know - no gaping vulnerabilities. It rejects all input that is unrecognised, and given I have access to the server, there are no back doors or admin holes (what's the point when I can just as easily fire up WinSCP and edit stuff directly?).
You'd be disappointed at how much crap gets logged. I've put in fairly broad spectrum blocking to NOT log known spiders and search engines, and also to return slightly different content (this may be against the Ts&Cs of some engines, however there is a very good reason that if you enter WITHOUT giving a date, the most recent entry will be displayed, I do not want this archived as it changes all the time! it provides a message to this effect, and all the dated links work as normal so it isn't really SEO nonsense [read the penultimate paragraph for why I don't care]). I routinely see attempts to access files that are not there, phpMyAdmin, and the like, as well as a number of attempts to poke .asp (that's IIS, right?) files.
My next challenge, I think, is to code up a small flat-file database and start denying access to any IP address that pulls more than ten articles in a minute. That's less than one every ten seconds, so most likely to be a badly behaved spider. Some, mentioning no names, attempt to pull ten in as many seconds. I'm inclined to start 404ing those...
...ahhhh, somedays I think life would be easier if I simply periodically considered my site management to be complete once I've just erased the logfiles. ;-)
Sign up, sign up for The Register's weekly IT security newsletter - click here
