Heads up: Brute force attacks on the rise recently

[jdow]

From: "Michael Cronenworth" <mike at cchtml.com>
Sent: Wednesday, 2009/October/28 16:03


> It seems in the past month brute force attacks are on the rise. They are
> targeting anyone listening on port 22 and go after root. If you do not
> have a hardened box, you will see thousands upon thousands of
> connections in your logs. Once logged in they will set your system up in
> their botnet.
> 
> Google: dt_ssh5
> This little baby will get placed in /tmp and will be running. Looks to
> be a SSH gateway for the attackers for easy access/control.
> 
> -Make sure your root password is not a dictionary word.
> -Add iptables rules to limit multiple connections on SSH to 4 within a
> minute.[1] Perhaps this needs to become a Fedora default.

Once within 3 minutes is entirely practical and effective. In the last
two days a pair of dolts kept trying 6621 times and 2185 times after the
door slammed shut in their faces. Their ISPs have been notified.

> -Update your system.
> -Use SELinux.
> 
> Why am I sending this message? Is it SPAM? No. I've seen this hit a
> customer and cause an explosion in their network traffic. The backdoor
> was installed on Sept. 30th and was not detected until recently. Google
> results seem to indicate this past month with higher than normal brute
> force activity.
> 
> [1]
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> --set --name DEFAULT --rsource

I love those rules and have been spreading them around for quite some
time now. I am glad to see somebody else has either adopted or discovered
the rule trick. It is devastatingly effective. Guessing a password as
simple as "mE3" would take decades of attempts. (Now I want to configure
sshd so that it logs the attempted password along with the attempted user
name.)

{^_-}