Weekly Edition
Return to the Security page
| |||||||||||||
Brute-Force SSH Server Attacks Surge (InformationWeek)
InformationWeek reports
on an increase in attacks against SSH servers. "The paper
focuses on the vulnerability of Linux systems to brute-force SSH
attacks... 'Linux systems face a unique threat of compromise from
brute-force attacks against SSH servers that may be running without the
knowledge of system owners/operators. Many Linux distributions install the
SSH service by default, some without the benefit of an effective
firewall.'"
(Log in to post comments)
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 15:35 UTC (Wed) by kssingvo (guest, #38999) [Link] Use fail2ban, or any other similar tool which can be found on the net, to avoid such an abuse of services. Kindly regards,
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 15:51 UTC (Wed) by AJWM (guest, #15888) [Link] That's a good idea, although I wonder if perhaps determined attackers aren't already using botnets for this kind of thing to spread the attack-source IPs around. (Fail2ban blocks the IP of repeated failed-password attempts. The question is whether an attacker would run out of IPs before running out of passwords to try - yet another argument for strong passwords.)
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 16:20 UTC (Wed) by ssam (subscriber, #46587) [Link] 4 billion ip address, biggest botnets are of the order of 1 million machines. the default on denyhosts is something like 10 fails per IP address. there are 26^5 = 11 million, 5 character lowercase passwords there are 26^7 = 8 billion, 7 character lowercase passwords Ubuntu does not install an ssh server by default. which consumer distros do? Ubuntu also, by default does not have a root user, so if you want to brute force you have to guess a username as well. crazy idea: what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has succeeded, and gave a pretend shell that did nothing. would that confuse the crackers?
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 16:37 UTC (Wed) by pr1268 (subscriber, #24648) [Link] what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has succeeded, and gave a pretend shell that did nothing. would that confuse the crackers? What you describe sounds like a variation of a honeypot. Interesting concept, IMO, but I'm certain that whatever functionality incorporated in this "pretend" shell would necessarily be a small subset of what a real shell could contain. Taking your idea further, how about a completely "functional" pretend shell whose programs and commands are all faked as well.... Sounds like a lot of work just to snoop on the bad guys, but a peculiarly interesting idea nevertheless...
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 18:28 UTC (Wed) by smoogen (subscriber, #97) [Link] Yes they have been doing this for a while.. The latest set of attacks are using it more. I have seen attacks where machine A goes for account "foo, foo1, foo2" and then machine B does "foo3, foo4, foo5" and then machine C goes for "foo6, goo, goo1" and machine A tries again (well its a lot bigger than that but just logging in once and coming back an hour later is enough to get past most public ssh servers fail2ban systems.) Add onto that a lot of users think Q1w2e3r4 is a good password and are sure to get some account on a university or big ISP sometime.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 15:55 UTC (Wed) by JoeF (subscriber, #4486) [Link] Or write your own little script. I have a cron script that checks my log files and adds an an iptables drop entry for such attempts.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 16:11 UTC (Wed) by mikachu (guest, #5333) [Link] I checked my logs yesterday, and for that single day there were 424 attempts from 250 unique ips, so presumably blocking after an ip fails is not very effective.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 16:36 UTC (Wed) by pcampe (guest, #28223) [Link] See http://lwn.net/Articles/222201/, and accept only certificates for SSH.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 1:05 UTC (Thu) by csamuel (✭ supporter ✭, #2624) [Link] Except that, according to the Metasploit project, on Debian/Ubuntu boxes with broken OpenSSL: When creating a new OpenSSH key, there are only 32,767 possible outcomes for a given architecture, key size, and key type. The reason is that the only "random" data being used by the PRNG is the ID of the process. [...] Links to the pregenerated key sets for 1024-bit DSA and 2048-bit RSA keys (x86) are provided in the downloads section below. ...and if you've used such a system with a good DSA key then you can consider that compromised too.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 19:39 UTC (Thu) by pcampe (guest, #28223) [Link] >Except that, according to the Metasploit project, on Debian/Ubuntu boxes >with broken OpenSSL That is an implementation problem, limited to Debian and derivated systems. Certificates are the only way to be sure that your server is not password-guessed.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 17:23 UTC (Wed) by endecotp (guest, #36428) [Link] No, don't use fail2ban or denyhosts or any of the similar tools. They are in the "line of fire" and any bugs that they contain are security bugs. This isn't a theoretical problem: see http://lwn.net/Articles/216217/; denyhosts could be exploited by an attacker to add arbitrary addresses to its blocklist, including for example the IP addresses of its legitimate users. That's a serious bug and there could be more. We want less code in the line-of-fire, not more, and we want that code to be of the highest quality (as openssh is, except when it has been hacked around by an incompetent maintainer). Simple rule: use strong passwords, or disable password authentication, and don't worry about all of those failure messages in your auth log.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 17:39 UTC (Wed) by rfunk (subscriber, #4054) [Link] While I agree with your general point, I have two points of partial-contention. Most importantly, if you allow password authentication at all, you need to pay attention to failed logins, and take steps to prevent someone from eventually getting around to guessing your good password. (I watch my logs and manually block IP addresses that are trying to brute-force their way in, but I'm lucky enough not to be getting hit nearly as hard as others are.) Also, I've long disliked fail2ban and similar tools because it's too easy for legitimate users to get blocked. But some variant might be appropriate, such as one that notifies the sysadmin and asks for approval before blocking. (Though of course this adds more of the evil complexity that you rightly argue against.) I've toyed with the idea of a system that not just penalizes failed logins, but also gives positive points for successful logins, so that it's harder for legitimate users to get blocked. And of course, if blocking does happen, it should eventually expire.
fail2bban with knockd & whitelist Posted May 15, 2008 0:04 UTC (Thu) by AnswerGuy (guest, #1256) [Link] I use fail2ban with a whitelist on port 22 and port knocking on two additional ports (with a five port knock for each). Thus I can be assured that I can still get in even if someone has spoofed failures from some adress I'm using that's not on my whitelist. I could just turn off port 22 on that server since I only ever use one of the alternatives. The advantage of fail2ban or its ilk in this case is to prevent the bandwidth and CPU hit for repeated brute force ssh attempts. hiding the alternatives behind a knock sequence is even more effective since the casual port scanners can't even find the running service. If I see brutish failures on one of the alternative ports then I can be certain that someone sniffed my knock sequnce ... and change it.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 22:50 UTC (Wed) by nowster (subscriber, #67) [Link] This seems to work very well. It limits the number of connections to the SSH port to three in any three minutes. It's based on a post here a few months ago.
# SSH
# Accept trusted hosts
iptables -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport ssh -j ACCEPT
iptables -A INPUT -s 172.16.0.0/14 -p tcp -m tcp --dport ssh -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport ssh -j ACCEPT
# For outsiders, rate-limit
iptables -A INPUT -p tcp -m tcp --dport ssh \
-m state --state NEW \
-m recent --hitcount 3 --seconds 180 --update -j DROP
iptables -A INPUT -p tcp -m tcp --dport ssh \
-m state --state NEW \
-m recent --set -j ACCEPT
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 16, 2008 6:50 UTC (Fri) by muwlgr (guest, #35359) [Link] Ubuntu has broken fail2ban in Hardy and I feel they won't upload the update till probably v8.04.1. Bad luck for us Hardy users.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 16:05 UTC (Wed) by einstein (subscriber, #2052) [Link] All the distros I've used lately don't allow ssh connections by default, I have to explicitly enable sshd. I don't bother with the overhead of iptables rules, I simply define a restrictive set of IPs allowed to connect to sshd, via hosts.allow, and pare down the list of allowed ssh users, via sshd_config, to the one or two who actually have a need to do so. For more security, I disable password logins and require ssh keys to log in. Every morning the syslog is full of new entries chronicling unsuccessful ssh login attempts. Haha, suckers - knock yourself out!
New trends Posted May 14, 2008 16:13 UTC (Wed) by cyperpunks (subscriber, #39406) [Link] First some advice:- use denyhosts http://denyhosts.sourceforge.net/, it works very well. All distros have packages ready. - use the AllowUsers option /etc/ssh/sshd_config e.g: AllowUsers joeuser foouser- set MaxAuthTries to low number in /etc/ssh/sshd_config: MaxAuthTries 3- use good passphrases In the last couple of days it seems like more distributed attacks are going on, presumably to smart out software like denyhosts. However with 2/3 tries per IP a fairly large botnet is needed to crack a good password.
New trends Posted May 14, 2008 16:25 UTC (Wed) by nix (subscriber, #2304) [Link] If you're using passphrases rather than passwords (i.e. password-interactive authentication is disabled), then you're safe anyway. It's exactly as hard for a cracker to guess a private key with a passphrase as it is for him to guess one without a passphrase. What the passphrase keeps you safe from is some bastard nicking your key.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 17:14 UTC (Wed) by leoc (subscriber, #39773) [Link] I find changing the host port from the default to something else helps to reduce the incidence of attempts. If nothing else, it at least keeps the log files a little less jammed full of entries that need to be reviewed. You can add an entry to your personal ssh config file to have it automatically use the alternative port without needing to specify it on the command line.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 17:23 UTC (Wed) by ikm (subscriber, #493) [Link] I second that. Drops from thousands of attempts a day to zero. While it won't give too much security in case of a deliberately planned attack on you, most of the attacks are just automated scripts which check for root=root, lp=lp, etc, creating a mess in the logs.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 15:02 UTC (Thu) by jhardin (guest, #3297) [Link] In addition to changing the listen port on your system, put a TCP tarpit (e.g. LaBrea) on port 22.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 17:17 UTC (Wed) by a9db0 (subscriber, #2181) [Link] Another suggestion - If you can, run sshd on an alternate port. I know this can be inconvenient for some users, but it is effective in dissuading the bots. I know "security by obscurity" isn't an answer, but it's harder to break in a door if you have to search awhile before you find the door. Anyway, it has helped dramatically reduce the attacks on my boxes.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 17:45 UTC (Wed) by martinfick (subscriber, #4455) [Link] "security by obscurity" is just a term that is thrown around strangely anyway and provides nothing of value to a conversation, ignore it. When it comes down to it you always need a secret for these things. Requiring more secrets can only increase your security, the question is by how much and what is the tradeoff? The answer to "how much?" is determined by the size of the search space for each secret, are they random and are they changeable? The last one is the criteria that makes secret algorithms particularly bad, they are not changeable. With your extra secret, your search space is not very big so you may not be adding a lot of security for the determined cracker, but it certainly makes you more secure (if even only minorly) than the other guy, but at what cost? For example, is your machine now less accessible to you? Perhaps you may at some point be behind a firewall that does not allow you to access random ports, this could hurt you. A value decision that only you personally can make.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 17:31 UTC (Wed) by danielpf (subscriber, #4723) [Link] In addition to the already mentioned measures, a very simple one is to change the standard ssh port 22. Since I did it last year I had not a single attempt, instead of several tens per day.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 18:42 UTC (Wed) by smoogen (subscriber, #97) [Link] This works for small servers very well. For larger targets it only delays the attacks. Moving the ssh to port 9223 or some such on machine www.bigsite.com stopped the main robots but after a bit a new set of people showed up with bots after they had done a nmap. I am guessing they saw it and then told their bot-herd to go after the hi-port. However the small home machine I have, has never had a scan go high.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 18:49 UTC (Wed) by tialaramex (subscriber, #21167) [Link] Fedora installs SSH and opens a hole for it in the default firewall. So far as I know this is still true in Fedora 9. This is a frustrating type of vulnerability because it involves the user doing something stupid (using a really easy password for 'root' or having a really obvious username AND using a really easy password). The phrase "brute-force" in the write-up really over-states what they're trying, SSH isn't vulnerable to being brute-forced, each connection incurs a small but deliberate delay which, combined with the deliberately slow PAM authentication step means that attackers can't hope to try more than a thousand or so passwords in an hour. As a brute force technique that would be hopeless. Even with the ability to connect to say 100 machines at a time (much more and you run into problems with port re-use that screw you up) they couldn't make much headway. Instead they're relying on small dictionaries, of variable quality. Some might have 500 very common passwords and try them all against the 'root' account, others have username + password pairs, or try just a few usernames of old Unix daemons and other system accounts (the latter attack certainly won't work on any vaguely modern Linux distro since these accounts have no login privileges). Unfortunately, we can't actually rely on users not to pick 'password' as the root password of their machine. So we need to create a situation where ordinary users (since they're the only ones who'll benefit) can switch off remote password authentication and disable login to the root account. It seems like Ubuntu and similar distros have decided instead to throw their hands in the air and disable remote administation out of the box. In reality I'd guess that a large number of machines get the remote auth turned back on (with appropriate holes in the firewall) when the user realises how inconvenient this is. So it doesn't achieve our goal of making the user safer (though it does mean Ubuntu supporters can say Ubuntu isn't vulnerable to this problem, which gets them some cheerleading points) I'd suggest that we need User friendly SSH key sharing. People who can play Solitaire and write a document in OpenOffice.org also need to be able to create and use SSH keys to authenticate between their laptop and desktop computer, between the desktop computer and the Linux storage/ AV server under the stairs maintained by their spouse/ sibling/ neighbor and so on. This isn't so that they can get a bash prompt but so that they can use SFTP and similar user authenticated remote services. Documentation which concentrates on the "login as yourself, obtain root privileges only when necessary" model, maybe through sudo and the existing privilege escalation dialogs in GUI environments. We're 90% of the way there on this, and as a result should turn off root logins altogether by default. If you can't log in as root, then attackers can't either. But to some extent I think we have to "suck it up" on these unwanted log messages. Attackers are trying to break into your machine, and being reminded of that is no bad thing.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 20:21 UTC (Wed) by eru (subscriber, #2753) [Link] "throw their hands up" I disagree. For any distro that is likely to be installed by 'laymen' for desktop use, disabling sshd and other forms of remote login is the only responsible default. These users are unlikely to need it, and those that do are more sophisticated and know how to turn it on (or at least know how to find that out).
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 0:29 UTC (Thu) by tialaramex (subscriber, #21167) [Link] There's no reason it needs to be so dangerous that you'd want to disable it. If you don't have root logins, and you require a key for access (where the search time is controlled by a computer algorithm rather than by a human's ability to remember complicated strings of letters and digits) you can make SSH an uninteresting target. If the script kiddies had a dozen boxes chewing away for weeks at a time and didn't get a single hit they'd stop doing it. That they're currently still doing it suggests that it probably still works. Which means there are still machines where you can ssh in with username 'root' password 'sesame' and get a root bash prompt. I think we should fix /this/ part rather than just disabling SSH by default.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 4:34 UTC (Thu) by bronson (subscriber, #4806) [Link] > There's no reason it needs to be so dangerous that you'd want to disable it. Sure there is. A closed port is infinitely more safe than a listening port. Well, maybe not infinitely. But it's a huge number. The difference is so big that running listening servers that the user isn't actually using is downright irresponsible. > If you don't have root logins, and you require a key for access ... you can make SSH an uninteresting target. Not if you were running Debian or Ubuntu. :(
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 9:19 UTC (Thu) by ekj (guest, #1524) [Link] True, but you exxagerate somewhat. Not only the *relative* risk, but also the *absolute* risk is relevant. It may be true that a non-listening port is one million times safer from network-exploits than a listening-port. (number grasped out of thin air) But if the risk that a certain service causes problems is miniscule enough, then that reduction in risk is still ignorable. If, for example, there's a 1:100 chance that a certain setup will be compromised in a year, and a 1:1000000 chance that a given service will be compromised, then turning off that service while in principle good, in practice makes no detectable difference to the overall security of the host.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 15:33 UTC (Thu) by bronson (subscriber, #4806) [Link] Hm, are you saying that worrying about running services is silly because there are so many more reliable ways of rooting a box? If so, I have two replies: - Running services have always been most effective way of remoting a box. They are the 1:100 number you quoted. - Disregarding a 1:100000 chance event might make sense on some level. The problem is that Linux deployments are immense and the downside of having your box rooted is so enormous. If 36,000 Linux boxes will be compromised this year, and a particular running service is responsible for only 60 of those breakins, it sounds like you're saying that the service is statistically insignificant and can be ignored. That might keep the statisticians happy but I think it is clearly wrong. At least, I hope that the distros I use don't feel that way!
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 16, 2008 6:00 UTC (Fri) by ekj (guest, #1524) [Link] Nah. We don't really disagree. I'm just nitpicking. Specifically, I'm nitpicking the claim that a large relative reduction in risk by ITSELF is a reason to do something. Cutting a risk by 99% sounds great, my point was merely that if the risk is miniscule already, it may be that it's not worthwhile. Arguably, the safest default is to install no servers, unless the user specifically requests the install (default: not installed), but some services are probably still better left installed. Indeed, the safest default is to install NOTHING whatsoever, but this is hardly reasonable, despite improvements to security. Similarily, the safest default if the user DOES explicitly install a service is to not run it -- requiring the user to explicitly enable it if he wants it. But this is unreasonable; most people who install say "openssh-server" also wants to run it, so defaulting to off is unfriendly, even though sligthly more secure. Further, the safest default config would be something like disable-root-login disable-password-authenthication allow-login-only-from-whitelisted-hosts, but again, this would be unfriendly because it would mean extra work for most people. So this is probably not worth it -- despite being more secure.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 5:48 UTC (Thu) by MattPerry (guest, #46341) [Link] > There's no reason it needs to be so dangerous that you'd want to disable it. Then disable it because it's not needed. It's trivial to enable for those who need it. For others who don't, it's just using system resources unnecessarily.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 2:51 UTC (Thu) by gdt (subscriber, #6284) [Link] Fedora could improve, a lot. Firstly, it could ask on the installer screen if a ssh server for remote administration is needed. And if it is it could insist on a non-root user name and a reasonable password. It could offer the alternative for public-key only access. It should not be possible to SSH to a Fedora machine as root. Secondly, it could restrict ssh usage to just the users which need it. Create a group sshusers and require incoming ssh to be a member of that group. Thirdly, it could add GUI tools to make public keys simpler to use. Fourthly, it could issue a banner upon ssh connection. This will increase traffic bills for scanning machines, making their owners on ADSL billing plans pay attention. Fifthly, it could ask the user the address range of their local trusted network upon installation and set /etc/hosts.allow (which sshd obeys) accordingly. OpenSSH could also help. Stacking authentication (such as requiring public key and login password) would be very useful. I've found on the well-known servers which we run that moving the ssh port only works for a day at the most.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 5:36 UTC (Thu) by njs (guest, #40338) [Link] > We're 90% of the way there on this, and as a result should turn off root logins altogether by default. *cough* This is exactly what Ubuntu does.
PermitRootLogin without-password Posted May 15, 2008 10:02 UTC (Thu) by gvy (guest, #11981) [Link] Recent OpenSSH 4.x support restricting root to key-only auth; that's how it's set up by default in ALT Linux 4.0. Previous ALT releases used to "PermitRootLogin no" and recommend sudo/su -- preferably with separate user in wheel group since one of control(8)-ed settings for /bin/su and /usr/bin/sudo file permissions is "suid, executable by wheel group, no world perms at all". I think I've heard of 1 (one) case when unsuspecting ALT Linux user would get his root account bruteforced -- due to offline system with easy password and manually enabled remote root login being brought online. Still AllowUsers/AllowGroups is basically a must on multiuser systems where not literally everyone must have remote access; as mentioned, IP filtering and weird port are also worthy things to consider doing, depending on one's situation. Port knocking techniques sometimes come handy too.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 2:03 UTC (Thu) by jasonjgw (guest, #52080) [Link] On my home box I have disallowed password authentication, which as others have suggested is a good security measure. Also, the machine is behind a router (with firewall enabled), and subject to NAT. The only way to accomplish an ssh login is over IPv6; I can set up IPv6 tunnels to go6.net or another provider from my laptop, and access my home network via this route. Address scanning will require much more work of the attacker under IPv6, so they'll probably resort to probing the DNS for AAAA records once there are sufficiently many IPv6 hosts to make this worthwhile from a cracker's point of view. Disallowing zone transfers to unauthorized hosts should complicate this strategy however. To be clear,, I don't use IPv6 as a security tool; it's rather that I'm having fun with it, and I don't like NAT, but would prefer to give each of my systems static IPv6 addresses than to pay $$$ to obtain static IPv4 addresses.
|
|||||||||||||