Ssh brute force

[Outlaw]

Someone was trying to brute force accounts that do not exist on one of my machines.

Code:

Jul 26 00:58:09 host sshd[2745]: input_userauth_request: illegal user test
Jul 26 00:58:09 host sshd[2745]: Could not reverse map address 131.104.78.48.
Jul 26 00:58:09 host sshd[2745]: Failed password for illegal user test from 131.104.78.48 port 57578 ssh2
Jul 26 00:58:09 host sshd[2745]: Received disconnect from 131.104.78.48: 11: Bye Bye
Jul 26 00:58:10 host sshd[2746]: input_userauth_request: illegal user guest
Jul 26 00:58:10 host sshd[2746]: Could not reverse map address 131.104.78.48.
Jul 26 00:58:10 host sshd[2746]: Failed password for illegal user guest from 131.104.78.48 port 57641 ssh2
Jul 26 00:58:10 host sshd[2746]: Received disconnect from 131.104.78.48: 11: Bye Bye
Jul 26 00:58:11 host sshd[2747]: input_userauth_request: illegal user admin
Jul 26 00:58:11 host sshd[2747]: Could not reverse map address 131.104.78.48.
Jul 26 00:58:11 host sshd[2747]: Failed password for illegal user admin from 131.104.78.48 port 57714 ssh2
Jul 26 00:58:12 host sshd[2747]: Received disconnect from 131.104.78.48: 11: Bye Bye
Jul 26 00:58:13 host sshd[2748]: input_userauth_request: illegal user admin
Jul 26 00:58:13 host sshd[2748]: Could not reverse map address 131.104.78.48.
Jul 26 00:58:13 host sshd[2748]: Failed password for illegal user admin from 131.104.78.48 port 57777 ssh2
Jul 26 00:58:13 host sshd[2748]: Received disconnect from 131.104.78.48: 11: Bye Bye
Jul 26 00:58:14 host sshd[2749]: input_userauth_request: illegal user user
Jul 26 00:58:14 host sshd[2749]: Could not reverse map address 131.104.78.48.
Jul 26 00:58:14 host sshd[2749]: Failed password for illegal user user from 131.104.78.48 port 57841 ssh2
Jul 26 00:58:14 host sshd[2749]: Received disconnect from 131.104.78.48: 11: Bye Bye
Jul 26 00:58:15 host sshd[2750]: Could not reverse map address 131.104.78.48.
Jul 26 00:58:15 host sshd[2750]: Failed password for root from 131.104.78.48 port 57893 ssh2
Jul 26 00:58:16 host sshd[2750]: Received disconnect from 131.104.78.48: 11: Bye Bye

Now, I have set up sshd to deny all attempts that do not use a private key, but I can't be sure that these attempts are somehow bypassing that. I see that the attempt is done with a password. I don't know how they can do that. Is there a tool out there? If I try it on a test box, I just get dropped since I don't have an agent and key and I am not prompted for a password (which is what I want). And instead of failed password for illegal user..., my attempt shows up with failed none for illegal user...

I was really hoping that any attempt without a key would just be dropped, but apparently not in this case.

I can't deny all and allow some with wrappers due to users with dynamic IPs, so I have to add baddy's ad-hoc. This is partly why the public key auth.

I really want to know what the tricks are so I can try myself and be prepared.

sshd_config

Code:

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin no
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt no

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
Banner /etc/banners/sshd
#VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Any insights?

Thx

[countach44]

I get that too, except I know the person, they're a luser and kept trying to login as "admin"

[Outlaw]

http://isc.sans.org/index.php?isc=7d...2b0b3213b77659

SSH Brute force reporting update: Reports of SSH scans with simple username/password combinations continue to come in. We are currently looking for the tool/malicious code that is performing these scans.

Kevin Liston, Handler on Duty, kliston AT greenman-consulting DOT com

[x]

Thanks for that, Radar.
We are having these attacks too, on a server behind a firewall. A secure version of putty is extremely important!

[Outlaw]

I just got a bunch more of these this am across all machines in one domain and not on one that's stuck on a soon to be defunct domain. The IPs in the logs never resolve to anything either.

[Outlaw]

Sometime in July, reports of low intensity net-wide SSH scanning began to surface: The scanner attempts to login to accounts 'guest' and 'test' once each, using the account name as the password, then moves on. In a few cases where the login was successful (meaning an account such as 'test' with password 'test' was accepting remote login on the target machine (!)), the attacker was observed to have installed a rootkit and/or the scanner itself to probe yet more machines.

http://sandbox.rulemaker.net/ngps/

[logan]

I have looked over my server logs and have seen this activity all the way back starting july 14th 2004, I think there is some kinda zombie trojan responsible as they only attempt to login to SSH following a Port Scan that returns a SSH Service running.

I have had attempts for admin, test, guest and lately even root

I have seen the most of this traffic come from China I have only had a few attempts from the USA starting a few days ago

[gjansky]

Timely.
Thanks for the thread. I was going to post the same thing. I was wondering if it is a new tool, or a worm, that is programmed to try the couple of accounts. I believe it has to be automated, because I see the couple of attempts, then the disconnect in a matter of seconds. So I don't think it is someone typing.

Just my observations.

[shebang]

The Kernel's grsecurity patch, if you enable it, will not allow brute force.. to be used on your system..

I believe it should work on SSH as well but I'm not sure.. I know it doesn't let you brute force login into the system in getty-ps..

[Outlaw]

It's this or something similar. Definately not just typing. I kind of just accept that there will be attempts now and just stay aware.

The grsecurity, is that also what allows you to run Laus? Or is that a separate set of hooks.