ssh library attack

Everyday someone has attempted to log into my ssh server 1000s of times
with a bunch of different names. There is nothing significant on my
Linux box to be concerned with. I am just sick of seeing all this in my
logs and why should I let it continue.

There is no root login over ssh on my box, and you cant login without a
key eiter, no password access.

Is there a way to combat this without hampering my daily access? I do
tend to access from a given IP address, but I don't want to guarantee
this. Perhaps I could just change to some obsecure port number? Any
specific number? Can the sshd listen on multiple ports till i finalize
on a different port if this is the way to go?


--
Respectfully,


CL Gilbert

CL (dnoyeB) Gilbert wrote:
> Everyday someone has attempted to log into my ssh server 1000s of times
> with a bunch of different names. There is nothing significant on my
> Linux box to be concerned with. I am just sick of seeing all this in my
> logs and why should I let it continue.
>
> There is no root login over ssh on my box, and you cant login without a
> key eiter, no password access.
>
> Is there a way to combat this without hampering my daily access? I do
> tend to access from a given IP address, but I don't want to guarantee
> this. Perhaps I could just change to some obsecure port number? Any
> specific number? Can the sshd listen on multiple ports till i finalize
> on a different port if this is the way to go?
>

There are a couple of SSH brute-force attack scripts in circulation.
They seem all target port 22. If you can access SSH by some other
port, move the server away from port 22 to e.g. 60022. It quiets
the logged scrap considerably.

The ports above 49152 are destined for private use, and
OK for this use.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio wrote:
>>
>> Is there a way to combat this without hampering my daily access? I do
>> tend to access from a given IP address, but I don't want to guarantee
>> this. Perhaps I could just change to some obsecure port number? Any
>> specific number? Can the sshd listen on multiple ports till i
>> finalize on a different port if this is the way to go?
>>
>
> There are a couple of SSH brute-force attack scripts in circulation.
> They seem all target port 22. If you can access SSH by some other
> port, move the server away from port 22 to e.g. 60022. It quiets
> the logged scrap considerably.
>
> The ports above 49152 are destined for private use, and
> OK for this use.
As a last step measure you could always reconfigure the port that the
SSH daemon listens on. By changing the “Port” setting in your
“sshd_config” file, you can easily fool the attackers into thinking
you're not running SSH at all, but it's no guarantee that they won't
find you again by doing a simple port scan. Changing the port is
definitely no solution to strong passwords. Obscurity is small
protection by itself.


change "/etc/ssh/sshd_config" so that "PasswordAuthentication" is "no"

you can always put their IP address in your hosts.deny file as such

/etc/hosts.deny
DENY: xxx.xxx.xxx.xxx : All
DENY: xxx.xxx.xxx. : ALL
DENY: xxx.xxx. : ALL
DENY: xxx. : ALL
where as xxx.xxx.xxx.xxx is their ip number,or 1st octal, 2nd octal and
3rd octal

for example to block all ip between 192.168.1.0 and 192.168.1.254 it
would look like
DENY: 192.168.1. : ALL

or by country such as

ALL: .hk : DENY
ALL: .jp : DENY
ALL: .kr : DENY


in your /var/log/auth.log you will find something like the following

Jul 25 14:41:42 findmoore xinetd[4123]: START: ssh pid=21466
from=202.143.156.82
Jul 25 14:41:42 findmoore xinetd[21466]: FAIL: ssh libwrap
from=202.143.156.82
Jul 25 14:41:42 findmoore xinetd[4123]: EXIT: ssh pid=21466 duration=0(sec)
Jul 25 14:41:45 findmoore xinetd[4123]: START: ssh pid=21475
from=202.143.156.82
Jul 25 14:41:45 findmoore xinetd[21475]: FAIL: ssh libwrap
from=202.143.156.82
Jul 25 14:41:45 findmoore xinetd[4123]: EXIT: ssh pid=21475 duration=0(sec)
Jul 25 14:41:45 findmoore xinetd[4123]: START: ssh pid=21476
from=202.143.156.82
Jul 25 14:41:45 findmoore xinetd[21476]: FAIL: ssh libwrap
from=202.143.156.82
Jul 25 14:41:45 findmoore xinetd[4123]: EXIT: ssh pid=21476 duration=0(sec)


The best way would be to DENY all and in the hosts.allow file allow the
ips that you want to have access to your manchine.

There are several good tutiorals on the web that explain usage of the
hosts.deny and hosts.allow files

http://www.redhat.com/docs/manuals/l...rs-access.html

good for looking up ip's
http://www.fr2.cyberabuse.org/whois/?page=whois_server

here is a list of IPs that have launched attacks during the last 4 weeks

[Jun 26 10:38:05] 139.175.234.83
[Jun 26 23:55:10] 81.196.155.113
[Jun 27 01:53:28] 82.103.69.105
[Jun 27 02:35:50] 196.1.99.13
[Jun 27 04:10:46] 62.161.36.7
[Jun 27 05:03:40] 222.108.143.1
[Jun 27 07:40:09] 216.117.177.176
[Jun 27 23:15:26] 211.157.102.10
[Jun 28 03:54:28] 164.58.80.66
[Jun 28 04:32:34] 80.51.116.6
[Jun 28 05:53:34] 59.120.30.18
[Jun 28 10:04:01] 211.233.12.224
[Jun 28 16:15:53] 210.27.143.10
[Jun 28 19:27:05] 216.117.177.176
[Jun 29 20:54:35] 210.180.179.3
[Jun 30 06:56:18] 67.70.186.194
[Jun 30 07:37:15] 83.170.78.50
[Jun 30 07:49:47] 202.55.229.226
[Jun 30 09:10:46] 202.55.229.226
[Jun 30 21:36:33] 218.45.227.142
[Jul 2 09:20:26] 81.195.167.174
[Jul 2 22:34:50] 211.99.43.214
[Jul 3 08:03:41] 210.122.172.18
[Jul 3 16:43:59] 210.212.254.3
[Jul 3 17:15:52] 164.100.12.25
[Jul 4 12:14:46] 60.248.104.50
[Jul 5 10:43:51] 67.18.170.2
[Jul 5 11:25:22] 210.0.176.37
[Jul 5 16:12:11] 216.215.168.158
[Jul 6 01:45:24] 24.251.151.153
[Jul 7 00:57:56] 206.252.204.229
[Jul 7 10:52:26] 211.99.43.214
[Jul 7 12:35:47] 217.5.243.252
[Jul 7 17:22:38] 210.99.203.110
[Jul 8 10:05:17] 220.67.176.11
[Jul 8 11:26:18] 210.202.158.242
[Jul 8 15:59:39] 206.227.52.4
[Jul 8 16:01:40] 221.116.21.251
[Jul 8 19:35:40] 209.124.97.62
[Jul 9 08:08:53] 193.50.7.180
[Jul 9 11:05:33] 220.198.236.166
[Jul 9 23:19:45] 210.22.153.134
[Jul 10 18:38:07] 202.222.16.44
[Jul 10 19:16:04] 212.80.64.230
[Jul 11 01:00:44] 62.112.141.217
[Jul 11 01:45:35] 165.229.193.48
[Jul 11 17:11:28] 219.1.160.35
[Jul 11 17:54:23] 219.1.160.35
[Jul 12 02:02:32] 193.206.122.212
[Jul 12 06:50:45] 211.75.183.148
[Jul 12 14:41:44] 193.112.243.25
[Jul 13 06:16:10] 202.11.238.101
[Jul 13 20:55:06] 203.217.30.40
[Jul 13 21:13:05] 211.75.143.247
[Jul 14 05:17:13] 203.167.27.234
[Jul 14 11:13:24] 211.238.253.248
[Jul 14 17:57:38] 207.54.120.122
[Jul 15 02:12:35] 210.245.197.205
[Jul 15 07:30:50] 64.33.246.98
[Jul 15 08:36:54] 61.62.50.207
[Jul 15 10:44:13] 67.18.176.173
[Jul 15 21:37:34] 210.181.81.187
[Jul 15 22:40:41] 202.133.251.253
[Jul 15 22:46:00] 62.149.225.214
[Jul 15 22:45:57] 62.149.225.214
[Jul 16 12:45:35] 200.103.100.5
[Jul 16 19:04:27] 62.27.6.3
[Jul 18 03:27:04] 203.98.166.146
[Jul 18 03:36:37] 211.174.185.73
[Jul 18 06:50:19] 217.91.44.103
[Jul 18 12:09:36] 81.203.44.254
[Jul 18 18:56:38] 80.55.197.180
[Jul 18 22:27:51] 200.204.109.42
[Jul 19 00:45:53] 211.105.217.131
[Jul 19 03:58:13] 202.85.177.225
[Jul 19 04:34:22] 84.12.107.200
[Jul 19 06:57:36] 66.25.31.42
[Jul 19 07:28:42] 212.247.30.20
[Jul 19 08:22:58] 140.114.18.137
[Jul 20 05:22:55] 211.41.16.123
[Jul 20 12:18:38] 143.43.249.5
[Jul 20 14:26:00] 221.254.225.147
[Jul 20 19:45:06] 202.222.16.44
[Jul 20 21:53:46] 81.193.110.51
[Jul 20 23:40:21] 203.177.99.140
[Jul 21 01:26:34] 210.60.55.38
[Jul 21 06:17:31] 217.91.44.103
[Jul 21 08:25:47] 206.72.66.172
[Jul 21 09:08:07] 218.51.248.94
[Jul 21 11:45:29] 211.106.179.139
[Jul 21 15:39:15] 62.216.174.36
[Jul 21 16:10:06] 200.184.167.11
[Jul 21 17:24:02] 211.184.15.249
[Jul 21 17:25:59] 62.216.174.36
[Jul 21 17:28:12] 165.246.121.130
[Jul 21 19:23:46] 203.94.229.163
[Jul 22 04:49:18] 163.26.231.170
[Jul 22 05:05:53] 66.98.228.58
[Jul 22 05:15:27] 213.151.59.6
[Jul 22 05:29:59] 213.151.59.6
[Jul 22 08:22:53] 210.197.72.125
[Jul 22 09:30:37] 82.184.217.222
[Jul 22 10:02:15] 66.98.168.86
[Jul 22 23:00:53] 80.196.100.92
[Jul 23 07:33:29] 61.29.24.230
[Jul 23 08:00:25] 70.84.152.52
[Jul 23 08:19:36] 61.29.24.230
[Jul 23 09:17:20] 210.243.227.132
[Jul 23 10:17:48] 210.17.154.248
[Jul 23 11:46:45] 67.155.80.203
[Jul 23 16:39:42] 200.207.10.34
[Jul 23 16:48:14] 200.207.116.216
[Jul 23 16:48:14] 200.207.150.182
[Jul 23 21:05:51] 202.108.40.109
[Jul 24 00:34:06] 145.253.74.172
[Jul 24 00:54:31] 210.202.245.67
[Jul 24 10:45:34] 140.130.81.52
[Jul 24 11:16:27] 219.144.186.10
[Jul 24 13:12:07] 213.178.77.171
[Jul 24 22:49:58] 211.22.192.126
[Jul 25 00:04:34] 193.203.245.170
[Jul 25 03:20:37] 221.143.40.73
[Jul 25 03:44:08] 163.21.236.175
[Jul 25 16:17:25] 62.149.225.55
[Jul 25 22:26:03] 69.57.163.122
[Jul 25 22:39:18] 219.163.191.99
[Jul 26 07:10:43] 218.78.209.108
[Jul 26 08:07:09] 60.248.115.160
[Jul 26 10:22:00] 222.122.20.214

count = 129

On that fabled day of 25 Jul 2005, CL Gilbert blessed Usenet with hir
wisdom in <pO2dnbR0Yt_ConjfRVn-(E-Mail Removed)>:
> Everyday someone has attempted to log into my ssh server 1000s of
> times with a bunch of different names. There is nothing significant
> on my Linux box to be concerned with. I am just sick of seeing all
> this in my logs and why should I let it continue.
>
> There is no root login over ssh on my box, and you cant login
> without a key eiter, no password access.
>
> Is there a way to combat this without hampering my daily access? I
> do tend to access from a given IP address, but I don't want to
> guarantee this. Perhaps I could just change to some obsecure port
> number? Any specific number? Can the sshd listen on multiple ports
> till i finalize on a different port if this is the way to go?

If you're disallowing root logins and password authentication, you're
probably safe. If it's just the log messages that are bugging you,
change the SyslogFacility and LogLevel in /etc/ssh/sshd_config to
something like SyslogFacility USER4 and LogLevel DEBUG, then put a
line like:

user4.* /dev/null
^^^^^^^^^^^^^^^^^TABs - not spaces!

into /etc/syslog.conf, then restart sshd and syslogd.

You can also look into DenyHosts (http://denyhosts.sourceforge.net) or
pam_abl (http://www.hexten.net/sw/pam_abl/index.mhtml) as automated
ways of blocking the attacking hosts.

--
Henry Stilmack, CISSP
Email to hps (at) shangri-la (dot) cx
Registered Linux User #324965

In article <9vbFe.307$(E-Mail Removed)>,
Tauno Voipio <(E-Mail Removed)> wrote:

>The ports above 49152 are destined for private use...

I thought they were meant for dynamic allocation by clients.

CL (dnoyeB) Gilbert wrote:
> Everyday someone has attempted to log into my ssh server 1000s of times
> with a bunch of different names. There is nothing significant on my
> Linux box to be concerned with. I am just sick of seeing all this in my
> logs and why should I let it continue.
>
> There is no root login over ssh on my box, and you cant login without a
> key eiter, no password access.
>
> Is there a way to combat this without hampering my daily access? I do
> tend to access from a given IP address, but I don't want to guarantee
> this. Perhaps I could just change to some obsecure port number? Any
> specific number? Can the sshd listen on multiple ports till i finalize
> on a different port if this is the way to go?
>
>

Thanks for all the excellent replies. A little more info;

1. Password authentication and root access are indeed off.
2. There was a port scan a while ago before this started, and there does
seem to be port scans every so often.
3. The source IP for the attack changes daily.

Its really just an annoyance. I may do a host.allow. What would really
be nice is some form of port knocking except that port knocking is
probably easy to DOS...

--
Respectfully,


CL Gilbert

There are a few utilities out there that either put a delay after failed
login attemps or stop and restart the ssh server. Since quite a few of
these attacks are done using scripts, if after let's say 2 failed attemps
there is a delay of 2 to 5 minutes, the scripts are not effective anymore.

Have a look at pam_delay:
http://www-uxsup.csx.cam.ac.uk/~pjb1...ect/pam_delay/
or swatch which I use to stop and restart the ssh server.

Hope this helps

On Mon, 25 Jul 2005 15:37:01 -0400, CL (dnoyeB) Gilbert wrote:

> Everyday someone has attempted to log into my ssh server 1000s of times
> with a bunch of different names. There is nothing significant on my
> Linux box to be concerned with. I am just sick of seeing all this in my
> logs and why should I let it continue.
>
> There is no root login over ssh on my box, and you cant login without a
> key eiter, no password access.
>
> Is there a way to combat this without hampering my daily access? I do
> tend to access from a given IP address, but I don't want to guarantee
> this. Perhaps I could just change to some obsecure port number? Any
> specific number? Can the sshd listen on multiple ports till i finalize
> on a different port if this is the way to go?

> Thanks for all the excellent replies. A little more info;
>
> 1. Password authentication and root access are indeed off.
> 2. There was a port scan a while ago before this started, and there does
> seem to be port scans every so often.
> 3. The source IP for the attack changes daily.
>
> Its really just an annoyance. I may do a host.allow. What would really
> be nice is some form of port knocking except that port knocking is
> probably easy to DOS...
>

go here and d/load the file denyhosts.py

http://denyhosts.sourceforge.net/index.html

Setup is easy and works good

CL (dnoyeB) Gilbert wrote:
> Everyday someone has attempted to log into my ssh server 1000s of times
> with a bunch of different names. There is nothing significant on my
> Linux box to be concerned with. I am just sick of seeing all this in my
> logs and why should I let it continue.
>
> There is no root login over ssh on my box, and you cant login without a
> key eiter, no password access.
>
> Is there a way to combat this without hampering my daily access? I do
> tend to access from a given IP address, but I don't want to guarantee
> this. Perhaps I could just change to some obsecure port number? Any
> specific number? Can the sshd listen on multiple ports till i finalize
> on a different port if this is the way to go?
>
>

Hi,

To avoid for future exploit.. don't place SSH communication on standard
port 22. The only problem for HTTP and SMTP these ports can't be
changed! Those ports need alternative enforcement. Back to SSH try
change port to different port, give hackers more work todo.. then come
the NMAP thing which discover which port is open. Its still more work.
Choosing different ports will be secure and avoid random exploits.
Everyone know port 22 is SSH!

--
jsuthan
Zues linux team
http://www.mypulau.com

jsuthan wrote:
> CL (dnoyeB) Gilbert wrote:
>
>> Everyday someone has attempted to log into my ssh server 1000s of
>> times with a bunch of different names. There is nothing significant
>> on my Linux box to be concerned with. I am just sick of seeing all
>> this in my logs and why should I let it continue.
>>
>> There is no root login over ssh on my box, and you cant login without
>> a key eiter, no password access.
>>
>> Is there a way to combat this without hampering my daily access? I do
>> tend to access from a given IP address, but I don't want to guarantee
>> this. Perhaps I could just change to some obsecure port number? Any
>> specific number? Can the sshd listen on multiple ports till i
>> finalize on a different port if this is the way to go?
>>
>>
>
> Hi,
>
> To avoid for future exploit.. don't place SSH communication on standard
> port 22. The only problem for HTTP and SMTP these ports can't be
> changed! Those ports need alternative enforcement. Back to SSH try
> change port to different port, give hackers more work todo.. then come
> the NMAP thing which discover which port is open. Its still more work.
> Choosing different ports will be secure and avoid random exploits.
> Everyone know port 22 is SSH!
>
Security through obscurity is nuts. It will only take a bit longer to
figure that he has moved ssh from one port to another. A better way is
to allow access from known IP's, if that will not work you can always
get a program called denyhosts and run it via cron to automatically add
the offenders IP to the hosts.deny file.