Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
Ssh brute force
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Ssh brute force

  1. #1
    Advisor Outlaw's Avatar
    Join Date
    May 2001
    Location
    Clifton Park, NY
    Posts
    630

    Ssh brute force

    Someone was trying to brute force accounts that do not exist on one of my machines.

    Code:
    Jul 26 00:58:09 host sshd[2745]: input_userauth_request: illegal user test
    Jul 26 00:58:09 host sshd[2745]: Could not reverse map address 131.104.78.48.
    Jul 26 00:58:09 host sshd[2745]: Failed password for illegal user test from 131.104.78.48 port 57578 ssh2
    Jul 26 00:58:09 host sshd[2745]: Received disconnect from 131.104.78.48: 11: Bye Bye
    Jul 26 00:58:10 host sshd[2746]: input_userauth_request: illegal user guest
    Jul 26 00:58:10 host sshd[2746]: Could not reverse map address 131.104.78.48.
    Jul 26 00:58:10 host sshd[2746]: Failed password for illegal user guest from 131.104.78.48 port 57641 ssh2
    Jul 26 00:58:10 host sshd[2746]: Received disconnect from 131.104.78.48: 11: Bye Bye
    Jul 26 00:58:11 host sshd[2747]: input_userauth_request: illegal user admin
    Jul 26 00:58:11 host sshd[2747]: Could not reverse map address 131.104.78.48.
    Jul 26 00:58:11 host sshd[2747]: Failed password for illegal user admin from 131.104.78.48 port 57714 ssh2
    Jul 26 00:58:12 host sshd[2747]: Received disconnect from 131.104.78.48: 11: Bye Bye
    Jul 26 00:58:13 host sshd[2748]: input_userauth_request: illegal user admin
    Jul 26 00:58:13 host sshd[2748]: Could not reverse map address 131.104.78.48.
    Jul 26 00:58:13 host sshd[2748]: Failed password for illegal user admin from 131.104.78.48 port 57777 ssh2
    Jul 26 00:58:13 host sshd[2748]: Received disconnect from 131.104.78.48: 11: Bye Bye
    Jul 26 00:58:14 host sshd[2749]: input_userauth_request: illegal user user
    Jul 26 00:58:14 host sshd[2749]: Could not reverse map address 131.104.78.48.
    Jul 26 00:58:14 host sshd[2749]: Failed password for illegal user user from 131.104.78.48 port 57841 ssh2
    Jul 26 00:58:14 host sshd[2749]: Received disconnect from 131.104.78.48: 11: Bye Bye
    Jul 26 00:58:15 host sshd[2750]: Could not reverse map address 131.104.78.48.
    Jul 26 00:58:15 host sshd[2750]: Failed password for root from 131.104.78.48 port 57893 ssh2
    Jul 26 00:58:16 host sshd[2750]: Received disconnect from 131.104.78.48: 11: Bye Bye
    Now, I have set up sshd to deny all attempts that do not use a private key, but I can't be sure that these attempts are somehow bypassing that. I see that the attempt is done with a password. I don't know how they can do that. Is there a tool out there? If I try it on a test box, I just get dropped since I don't have an agent and key and I am not prompted for a password (which is what I want). And instead of failed password for illegal user..., my attempt shows up with failed none for illegal user...

    I was really hoping that any attempt without a key would just be dropped, but apparently not in this case.

    I can't deny all and allow some with wrappers due to users with dynamic IPs, so I have to add baddy's ad-hoc. This is partly why the public key auth.

    I really want to know what the tricks are so I can try myself and be prepared.

    sshd_config

    Code:
    #Port 22
    Protocol 2
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 3600
    #ServerKeyBits 768
    
    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 600
    PermitRootLogin no
    #StrictModes yes
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile      .ssh/authorized_keys
    
    # rhosts authentication should not be used
    #RhostsAuthentication no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    
    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    #PermitEmptyPasswords no
    
    # Change to no to disable s/key passwords
    ChallengeResponseAuthentication no
    
    # Kerberos options
    # KerberosAuthentication automatically enabled if keyfile exists
    #KerberosAuthentication yes
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    # AFSTokenPassing automatically enabled if k_hasafs() is true
    #AFSTokenPassing yes
    
    # Kerberos TGT Passing only works with the AFS kaserver
    #KerberosTgtPassing no
    
    # Set this to 'yes' to enable PAM keyboard-interactive authentication
    # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
    PAMAuthenticationViaKbdInt no
    
    #X11Forwarding no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #KeepAlive yes
    #UseLogin no
    
    #MaxStartups 10
    # no default banner path
    Banner /etc/banners/sshd
    #VerifyReverseMapping no
    
    # override default of no subsystems
    Subsystem       sftp    /usr/libexec/openssh/sftp-server
    Any insights?

    Thx

  2. #2

    Re:Ssh brute force

    I get that too, except I know the person, they're a luser and kept trying to login as "admin"

  3. #3
    Advisor Outlaw's Avatar
    Join Date
    May 2001
    Location
    Clifton Park, NY
    Posts
    630

    Re:Ssh brute force

    http://isc.sans.org/index.php?isc=7d...2b0b3213b77659

    SSH Brute force reporting update: Reports of SSH scans with simple username/password combinations continue to come in. We are currently looking for the tool/malicious code that is performing these scans.

    Kevin Liston, Handler on Duty, kliston AT greenman-consulting DOT com

  4. #4
    Junior Member
    Join Date
    Jun 2001
    Posts
    51

    Re:Ssh brute force

    Thanks for that, Radar.
    We are having these attacks too, on a server behind a firewall. A secure version of putty is extremely important!

  5. #5
    Advisor Outlaw's Avatar
    Join Date
    May 2001
    Location
    Clifton Park, NY
    Posts
    630

    Re:Ssh brute force

    I just got a bunch more of these this am across all machines in one domain and not on one that's stuck on a soon to be defunct domain. The IPs in the logs never resolve to anything either.

  6. #6
    Advisor Outlaw's Avatar
    Join Date
    May 2001
    Location
    Clifton Park, NY
    Posts
    630

    Re:Ssh brute force

    Sometime in July, reports of low intensity net-wide SSH scanning began to surface: The scanner attempts to login to accounts 'guest' and 'test' once each, using the account name as the password, then moves on. In a few cases where the login was successful (meaning an account such as 'test' with password 'test' was accepting remote login on the target machine (!)), the attacker was observed to have installed a rootkit and/or the scanner itself to probe yet more machines.
    http://sandbox.rulemaker.net/ngps/


  7. #7

    Re:Ssh brute force

    I have looked over my server logs and have seen this activity all the way back starting july 14th 2004, I think there is some kinda zombie trojan responsible as they only attempt to login to SSH following a Port Scan that returns a SSH Service running.

    I have had attempts for admin, test, guest and lately even root

    I have seen the most of this traffic come from China I have only had a few attempts from the USA starting a few days ago

  8. #8
    Junior Member
    Join Date
    May 2001
    Posts
    82

    Re:Ssh brute force

    Timely.
    Thanks for the thread. I was going to post the same thing. I was wondering if it is a new tool, or a worm, that is programmed to try the couple of accounts. I believe it has to be automated, because I see the couple of attempts, then the disconnect in a matter of seconds. So I don't think it is someone typing.

    Just my observations.

  9. #9

    Re:Ssh brute force

    The Kernel's grsecurity patch, if you enable it, will not allow brute force.. to be used on your system..

    I believe it should work on SSH as well but I'm not sure.. I know it doesn't let you brute force login into the system in getty-ps..

  10. #10
    Advisor Outlaw's Avatar
    Join Date
    May 2001
    Location
    Clifton Park, NY
    Posts
    630

    Re:Ssh brute force

    It's this or something similar. Definately not just typing. I kind of just accept that there will be attempts now and just stay aware.

    The grsecurity, is that also what allows you to run Laus? Or is that a separate set of hooks.

Similar Threads

  1. Delta Force!
    By johnqpublic in forum Linux - Software, Applications & Programming
    Replies: 4
    Last Post: 04-01-2003, 03:56 AM
  2. G-force card
    By friskydrifter in forum Linux - Hardware, Networking & Security
    Replies: 9
    Last Post: 07-19-2002, 10:42 AM
  3. snmp brute force
    By elovkoff in forum Linux - Software, Applications & Programming
    Replies: 0
    Last Post: 04-29-2002, 07:04 PM
  4. Brute force?
    By in forum Linux - Software, Applications & Programming
    Replies: 13
    Last Post: 02-26-2002, 03:20 AM
  5. Where to get Strike-Force?
    By in forum Linux - Software, Applications & Programming
    Replies: 7
    Last Post: 12-04-2001, 07:38 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •