It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default. -Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
On 10/28/2009 04:03 PM, Michael Cronenworth wrote:
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default. -Update your system. -Use SELinux.
Depending on situation, other measures to contain this problem:
* moving ssh to a different port (something > 1024) brute force scripts will usually check port 22 only - a different port will likely be checked only if attack is targeted
* switching to public/private key authentication even with a bad password, the private key is much more secure against a script kiddie. It helps against targeted attacks too, but can't rule them out.
Also, IIRC, in F10/11 SSHd is disabled by default. That could be because I usually use LiveCD install, though.
Around 11:03pm on Wednesday, October 28, 2009 (UK time), Michael Cronenworth scrawled:
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default. -Update your system. -Use SELinux.
I would also not allow ssh access to root. SSH to a user account and su to root if required.
Steve
On 10/28/2009 07:44 PM, Tom Horsley wrote:
On Wed, 28 Oct 2009 18:03:29 -0500 Michael Cronenworth wrote:
-Make sure your root password is not a dictionary word.
Better yet, make sure you only allow public key login from outside the trusted local network. I've been setting up my sshd that way for a long time now.
Can you show how to do this? I only know how to make the choice globally.
rh
On Thu, 29 Oct 2009 09:59:27 -0400 rgheck wrote:
On 10/28/2009 07:44 PM, Tom Horsley wrote:
On Wed, 28 Oct 2009 18:03:29 -0500 Michael Cronenworth wrote:
-Make sure your root password is not a dictionary word.
Better yet, make sure you only allow public key login from outside the trusted local network. I've been setting up my sshd that way for a long time now.
Can you show how to do this? I only know how to make the choice globally.
rh
I globally disable various things in the main /etc/ssh/sshd_config file, then I use a "Match" directive at the bottom, which for me looks like:
Match Address 127.0.0.1,192.168.1.* Banner /etc/nohamster.txt GSSApiAuthentication yes KerberosAuthentication no PasswordAuthentication yes KbdInteractiveAuthentication no RhostsRSAAuthentication no RSAAuthentication no
That overries the global settings for requests originating from the matched IP addrs.
2009/10/29 Tom Horsley tom.horsley@att.net:
On Thu, 29 Oct 2009 09:59:27 -0400 rgheck wrote:
On 10/28/2009 07:44 PM, Tom Horsley wrote:
On Wed, 28 Oct 2009 18:03:29 -0500 Michael Cronenworth wrote:
-Make sure your root password is not a dictionary word.
Better yet, make sure you only allow public key login from outside the trusted local network. I've been setting up my sshd that way for a long time now.
Can you show how to do this? I only know how to make the choice globally.
rh
I globally disable various things in the main /etc/ssh/sshd_config file, then I use a "Match" directive at the bottom, which for me looks like:
Match Address 127.0.0.1,192.168.1.* Banner /etc/nohamster.txt GSSApiAuthentication yes KerberosAuthentication no PasswordAuthentication yes KbdInteractiveAuthentication no RhostsRSAAuthentication no RSAAuthentication no
That overries the global settings for requests originating from the matched IP addrs.
I just mentioned this privately to someone. There are more vectors than just SSH, and the principal is the same. Unless you have no way into your network from the outside, (no VPN, no webservers, nothing), there's a potential for a bruteforce attack.
Unfortunately, in our particular case, we can't restrict ssh to internal IP ranges, so we had to implement a different solution.
From: "Michael Cronenworth" mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
On Thu, Oct 29, 2009 at 12:52 PM, jdow jdow@earthlink.net wrote:
From: "Michael Cronenworth" mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban #yum install fail2ban
Links: http://www.fail2ban.org/
2009/10/29 Athmane Madjoudj athmanem@gmail.com:
On Thu, Oct 29, 2009 at 12:52 PM, jdow jdow@earthlink.net wrote:
From: "Michael Cronenworth" mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban #yum install fail2ban
Links: http://www.fail2ban.org/
We've implemented a similar strategy here at the Genomics Center using denyhosts.
When taking this to production, there are a few issues and problems that can arise, that you could DOS your own servers if you're not careful. We came up with a solution that i've documented in a blog post recently, and so far it's been humming along nicely. I went away for a week on vacation, came back, and there were no hiccups.
http://loupgaroublond.blogspot.com/2009/10/doing-denyhosts-bit-better.html
If people are interested, we have a puppet policy you can use for your systems that implements this. The only trouble is the setup of the policy is a bit complicated and custom. Namely, it's dependent on some of our service accounts, and our firewall management tools.
-Yaakov
On 10/29/2009 08:17 AM, Athmane Madjoudj wrote:
On Thu, Oct 29, 2009 at 12:52 PM, jdowjdow@earthlink.net wrote:
From: "Michael Cronenworth"mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban #yum install fail2ban
Links: http://www.fail2ban.org/
Don't install fail2ban you will get twice the amount of "Gold Stars" .
I had fail2ban on a X86_64 box and I was constantly getting selinux Gold Stars,
I relabelled fail2ban a number of times to no avail .
I was told it was the way fail2ban was structured wrong, what that means , I have no Ideal. But I just uninstalled it.
2009/10/29 Jim mickeyboa@sbcglobal.net:
On 10/29/2009 08:17 AM, Athmane Madjoudj wrote:
On Thu, Oct 29, 2009 at 12:52 PM, jdowjdow@earthlink.net wrote:
From: "Michael Cronenworth"mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban #yum install fail2ban
Links: http://www.fail2ban.org/
Don't install fail2ban you will get twice the amount of "Gold Stars" .
I had fail2ban on a X86_64 box and I was constantly getting selinux Gold Stars,
I relabelled fail2ban a number of times to no avail .
I was told it was the way fail2ban was structured wrong, what that means , I have no Ideal. But I just uninstalled it.
Have you tried denyhosts yet? We haven't had any SELinux issues with it.
-Yaakov
On 10/29/2009 02:43 PM, Yaakov Nemoy wrote:
2009/10/29 Jimmickeyboa@sbcglobal.net:
On 10/29/2009 08:17 AM, Athmane Madjoudj wrote:
On Thu, Oct 29, 2009 at 12:52 PM, jdowjdow@earthlink.net wrote:
From: "Michael Cronenworth"mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban #yum install fail2ban
Links: http://www.fail2ban.org/
Don't install fail2ban you will get twice the amount of "Gold Stars" .
I had fail2ban on a X86_64 box and I was constantly getting selinux Gold Stars,
I relabelled fail2ban a number of times to no avail .
I was told it was the way fail2ban was structured wrong, what that means , I have no Ideal. But I just uninstalled it.
Have you tried denyhosts yet? We haven't had any SELinux issues with it.
-Yaakov
No, but I will check it out.
Thanks.
On Thursday 29 October 2009, Athmane Madjoudj wrote:
On Thu, Oct 29, 2009 at 12:52 PM, jdow jdow@earthlink.net wrote:
From: "Michael Cronenworth" mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban #yum install fail2ban
Links: http://www.fail2ban.org/
That may be all well and good, but how does one go about installing that on an x86 based dd-wrt router?
I did install those two rules above though, as I used to watch it being banged on at subsecond intervals by some Id10t using a dictionary attack. They must have had a small dictionary as they usually went away after 300-3000 tries.
It seems to have silenced the logging.
Thanks & hi Joanne :)
2009/10/29 Gene Heskett gene.heskett@verizon.net:
On Thursday 29 October 2009, Athmane Madjoudj wrote:
On Thu, Oct 29, 2009 at 12:52 PM, jdow jdow@earthlink.net wrote:
From: "Michael Cronenworth" mike@cchtml.com Sent: Wednesday, 2009/October/28 16:03
It seems in the past month brute force attacks are on the rise. They are targeting anyone listening on port 22 and go after root. If you do not have a hardened box, you will see thousands upon thousands of connections in your logs. Once logged in they will set your system up in their botnet.
Google: dt_ssh5 This little baby will get placed in /tmp and will be running. Looks to be a SSH gateway for the attackers for easy access/control.
-Make sure your root password is not a dictionary word. -Add iptables rules to limit multiple connections on SSH to 4 within a minute.[1] Perhaps this needs to become a Fedora default.
Once within 3 minutes is entirely practical and effective. In the last two days a pair of dolts kept trying 6621 times and 2185 times after the door slammed shut in their faces. Their ISPs have been notified.
-Update your system. -Use SELinux.
Why am I sending this message? Is it SPAM? No. I've seen this hit a customer and cause an explosion in their network traffic. The backdoor was installed on Sept. 30th and was not detected until recently. Google results seem to indicate this past month with higher than normal brute force activity.
[1] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
I love those rules and have been spreading them around for quite some time now. I am glad to see somebody else has either adopted or discovered the rule trick. It is devastatingly effective. Guessing a password as simple as "mE3" would take decades of attempts. (Now I want to configure sshd so that it logs the attempted password along with the attempted user name.)
{^_-}
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
You can install fail2ban #yum install fail2ban
Links: http://www.fail2ban.org/
That may be all well and good, but how does one go about installing that on an x86 based dd-wrt router?
I did install those two rules above though, as I used to watch it being banged on at subsecond intervals by some Id10t using a dictionary attack. They must have had a small dictionary as they usually went away after 300-3000 tries.
It seems to have silenced the logging.
If you can't find a package for the router, you might want to find a way to copy the log files off the router, process them on some machine, and then pass the instructions back to the router.
-Yaakov
-
Athmane Madjoudj -
Gene Heskett -
jdow -
Jim -
Konstantin Svist -
Michael Cronenworth -
Richard Heck -
Steve Searle -
Tom Horsley -
Yaakov Nemoy