Anyone else noticing an increase in SSH login attempts?

steve0 · #1 (**permalink**) 08-23-2005, 04:48 PM

Hey all,

We keep our boxes pretty tightly wrapped.. but in the last week or two, we have been seeing an increase in attempted logins via ssh.

Anyone else seeing this?

Has some 'new' exploit been published.. or are old ones just making a new resurgence.

(hmm..school back in session.. computer labs are now open..)

timmathews.com · #2 (**permalink**) 08-24-2005, 09:10 AM

I have not noticed anything... What types of sites are you niticing this on?

nottheusual1 · #3 (**permalink**) 08-24-2005, 12:54 PM

We've had an enormous increase in zombie attacks from compromised machines on large ISP's in EU countries. There are tons of them all over Europe and we just saw an increse in IP's originating in Japan (up over 50% this week). It comes and goes in waves.

We've already blocked about every IP block in China and Korea to reduce dictionary attacks on two of our mail servers - customer has one of those dreaded domains that seems to get targeted frequently. Thankfully, he only does business in North America, so this was a practical thing to do. There is a comprehensive list of those IP addresses available at:

http://www.okean.com/thegoods.html

which is updated very daily. When used with APF or some other policy-based firewall it is almost 100% effective.

Funny, but the zombies seem pretty particular - we have 5 production boxes and only 3 get the major traffic from them. Two rarely get probed.

Our firewalls are now configured to let one login attempt from a non-white listed IP - if you blow it, you're out first try. This has helped, but we don't have a situation where there are any SSH users other than a small handful of admins, so the policy is effective.

I'm sure the traffic from college networks will increase over the next few weeks with all those new computers coming up at once.... Unpatched, underprotected and noobs.....

nottheusual1 · #4 (**permalink**) 08-25-2005, 10:02 AM

Check out this link for an eye-opener:

http://www.fcw.com/article90262-08-22-05-Print

talks about attacks from overseas.

MuNKyonline · #5 (**permalink**) 08-31-2005, 11:56 AM

I have recently started gettin e-mails through my form on my website that are just random characters in each e-mail, all of the same length. Is this the kind of thing that you mean?

nottheusual1 · #6 (**permalink**) 08-31-2005, 12:25 PM

There are some known exploits for F*Page enabled Websites that can be triggered via a form's content and subsequent posting.

Problemo is that the trolls that are doing it aren't always checking to see if the site is F*Page enabled before trying the exploit. As an example, the exploits are useless on a *nix server running the current extensions for the simple reason the exploit is to try to gain control of an unpatched M$ O/S server. Many of the zombies out there aren't being controlled by a very bright crew.

These things seem to last for a week or two and then fade away - all we can figure is that the trolls lost their lease on the zombie machnes they were using.....

Easywebdev · #7 (**permalink**) 09-02-2005, 03:09 PM

I have an old server that I use as a gameserver (security on it has not been hardened) and lately its been getting hammered with ssh bruteforce attacks. As has been said above, summers over and the script kiddies are back at school.

The simplest way to avoid bruteforce ssh attacks is to move the ssh port somewhere high (above 12000) as most of the scripts in the wild target the default port of 22 and most hackers will run an nmap port scan up to 443 and maybe a single probe of 3306 for mysql so moving the ssh port to somewhere high foxes a lot of the kiddies. I do this (along with disabling root logins) on all production boxes and have yet to see an ssh attack on any of these boxes.

cyanide · #8 (**permalink**) 09-02-2005, 08:12 PM

Yes, that's a good idea, Easywebdev

We've also moved ssh to another port on most of our boxes. Helps alot

Web Hosting | Webmaster Help

Steve W · #9 (**permalink**) 09-02-2005, 08:24 PM

How do you spot an SSH attack attempt?
Which log should I look at please?
I've recently got a dedicated *nix server and could use a pointer for this topic.
Thanks

nottheusual1 · #10 (**permalink**) 09-06-2005, 01:34 AM

Steve - Do you have a firewall installed? What flavor of *nix is it? Is there any control panel (like plesk or c-panel)?

I'll try to help you get it hardened from this type of stuff.

Steve W · #11 (**permalink**) 09-06-2005, 07:39 AM

Hi, thanks.

It's Fedora Core and Plesk.

nottheusual1 · #12 (**permalink**) 09-06-2005, 10:13 AM

First - turn everything like PHPBB and Nuke off until you know they are patched correctly. They are really wek spots if not done right.

OK - start reading here:

http://members.lycos.co.uk/bubudiu/fc3-harden/

http://www.eth0.us/

The first link refers to hardening fedora in particular and is written by a RedHat staffer.

The second link takes on the whole system. Pay particular attention to the firewall section - they recommend using APF - which really is the best way to go. Also, when you get the latest version of APF, they've integrated a few new tools (like anti-DOS and a brute force detection system).

Let me know when you've plowed through this stuff and I'll help anywhere I can.

Steve W · #13 (**permalink**) 09-06-2005, 12:00 PM

Thanks, will get reading...

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode