Home » Blogs » David Goodwin's blog

SSH hacking / brute forcing

Submitted by David Goodwin on Mon, 08/01/2007 - 22:32.

On our servers we regularly see SSH being the target of brute force (and I assume/hope automated) password guessing - often for accounts like 'support', 'mike', 'remote', 'root', 'oracle' etc.

Every once in a while, I take the effort to report the scan to who ever is listed in the whois info for the IP address, or if the IP is hosting a website, then to a contact I can get from the website itself.

So, on Saturday when logcheck kindly informed me that someone had been trying to guess the 'root' password for a server, I put on my 'good deed' hat and spent 5-10 minutes finding out who to email, writing the email, and including some useful syslog entries (time/date etc).

Much to my surprise, the company I emailed phoned back; and needless to say the person I spoke to claimed there were no strange users logged into his system, and doesn't believe there is a problem. Unfortunately, I believe I have proof otherwise, but I didn't feel in the mood of arguing otherwise (and was slightly taken aback when someone phoned in response anyway).

When reporting it, I noticed their server was running PHP, which made me think (after speaking to him) that perhaps there is a hole in whatever PHP application they use, and whatever is/was scanning our server was doing so as the Apache user (or some other system account).

While I don't believe PHP as a language is any more vulnerable to security exploits than applications written in other languages, I do believe that there are many poorly written PHP applications. Some are just written by people who don't know about security, while others are just old, and written in the days before some vulnerabilities were known and now languish in an unmaintained state.

I'll continue to rely upon fail2ban or my own log_sentry.pl which seem to be sufficiently effective at blocking such probes; and if possible use either port knocking, changing the port sshd listens on ,or just allow a select list of IP addresses to connect to the server.

Technorati Tags:
»

They can be avoided

Submitted by Schwuk (not verified) on Tue, 09/01/2007 - 10:21.

Well done for tying to do a good deed - it's a shame people are not more receptive to assistance.

For your own benefit though, move sshd to another port. It makes life much easier, and if you use aliases in your ~/.ssh/config you don't need to remember them for each server.

»

Good point

Submitted by David Goodwin on Tue, 09/01/2007 - 11:01.

I have moved sshd to listen on different ports on some servers, but some are customer facing, and can't be moved.

I have worked for companies who block all outbound traffic apart from ports 22,80 and 443 ... which makes it difficult to change the port number ....

»

Disable password logins

Submitted by Adam Sweet (not verified) on Wed, 10/01/2007 - 23:30.

Turn off password logins and use key based passwordless logins. It won't stop the attempts but will mean that the brute forcers will never get in if they don't have your private key.

You want the following directives:

PubkeyAuthentication yes
PasswordAuthentication no

There are tutorials on how to set up the keys. I have to work out how to have more than one set of keys on a client or replicate the same key across multiple servers.

It can be a PITA for more than a few users, but worth investigating in more detail. Also worth keeping an SSH login open on the remote machine in case you make yourself unable to login while you're setting it up...

»

I already use public keys, but haven't turned off passwords yet.

Submitted by David Goodwin on Thu, 11/01/2007 - 07:58.

Adam,

I do use public keys quite a lot, but have steered clear of using only public keys everywhere, as sometimes I'm away from the office, without anything technical (which the private key could be stored upon). At least in such cases, if I need to connect (e.g. from a public PC) I can. Although I really dislike using public [windows] PCs as I'm sure they're all riddled with key loggers - clearly I need to investigate OPIE as well...

There are three servers I could move over to being password-less, and this would probably be a good idea. (You have at least made me think about doing so a bit more, so thanks!).

»

lol are u fucken idiots lol

Submitted by Anonymous (not verified) on Wed, 07/03/2007 - 05:03.

lol are u fucken idiots lol moveing to another port wont help u most hackers haveabout 4 or 5 linux/unix/mac and 1 windows machine lol thay use lots of port scaners to see whats on each port for one lol not only that thay can watch trafic to and from ur network via shareware (free programs)(lol)off 32bit.com god u all think u know something lol idiots lol

»

lol lol!

Submitted by David Goodwin on Wed, 07/03/2007 - 08:21.

In my opinion there is quite a difference between random scanning of a network, and a targeted attack on an individual machine. Therefore, moving sshd to listen on a different port will almost certainly stop the random scanning attacks. Obviously running a post scanner on a machine, would discover a sshd daemon - if there is no firewall filtering traffic from source IP address.

Your post indicates you know less about networking than I! Congratulations.

Enjoy your shareware; I'll stick with Open Source :)

»

My 2 cents

Submitted by Matt (not verified) on Mon, 09/04/2007 - 15:32.

To the child that thinks it is funny to use "lol" continuely you are actually wrong. By moving it to another port, especially one that is used by other encrypted traffic i.e 443, you do cut down on the number of brute force attacks, I know this as I set honey pots up to watch these things.

However, as long as you are not using weak passwords then the kind of people who just find port 23 and do a brute force attack are often not worth worrying about.

It's the people that find 443 being open and then doing something meaningful once they know that it's SSH on a different port you have to worry about.

I personally would never have an internet facing SSH machine with passwords enabled, as if someone really has got it in for you they can and will break in eventually.

Your best bet is to always use a stable Linux/Unix release only have the services running needed, only the ports open on the firewall you truely need and always use minimum 1024 bit Public key encryption, strong passwords and keep the patches up to date.

I maintain a Windows only network for a client and use RDP to manage the computers, I do not feel safe leaving this port open on the internet, so I use a very stable Linux distro to have a public key only SSH box as the only public facing port on the whole netork. I then use port forwarding to use RDP to the internal machine, call me suspicious but I don't trust Windows and public facing. Oh and of course I have it on a non standard port.

Unless someone is onto me and trying to sniff my private key over the unsecure part of the network (Internet) no one will ever break into this. Unless complex passwords mixed with opensource 1024 bit keys suddenly become script kiddy stuff.

My 2 Cents

Matt

»

A quick tip about not having the public key.

Submitted by Anonymous (not verified) on Mon, 09/04/2007 - 19:00.

I am the "2 cents" poster from before and one thing I do is forward my private key to a web mail account so that I can download it from anywhere. I believe this maybe a bad thing if the CIA/FBI are after me as they would easily get it, but 99.99% of attackers don't know me and just want to break my system so I should be fairly safe.

Also if you have an internet connection, Putty(Windows) doesn't require installing so should run from even internet Cafe's (Untested) and most Linux distro's have SSH installed, so boom, you have lift off.

Also when I said I used port forwarding from Linux, to be more accurate, I actually use portforwding to get to the SSH box and then tunnelling to get to RDP, I just didn't bother writing that :-)

All the best and remember to turn off password authentication ASAP :-)

Regards

Matt

»

keylogging...

Submitted by David Goodwin on Mon, 09/04/2007 - 20:26.

If I did store my private key(s) on a remote server (whether a mail server or otherwise), I would still be vulnerable to keylogging software on dodgy Windows PCs.

»

Keyloggers

Submitted by Anonymous (not verified) on Wed, 11/04/2007 - 19:39.

I suppose, but that will be the same for if you just use a normal username/password.

If you look before crossing the road, you might still get hit by a car, but that doesn't mean there's no point looking.

Like everything, it's best to take as many resonable measures as possible and apart from convienience there aren't many reasons for not using keys.

A strong password will keep out most dictionary and brute force attacks, but it's nice to know they can't even start them without a valid key.

If you really have ultra secure stuff, I guess using public or other peoples computers is a big no no anyway.

Regards

Matt

»

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
We don't take kindly to automated nonsensible adverts around here.