[Triumf-linux-managers] Distributed Linux SSH dictionary attack

Andrew Daviel advax at triumf.ca
Thu Apr 16 16:11:44 PDT 2009 


FYI

We are seeing a distributed-source SSH dictionary attack on multiple machines. 
The sources appear to be running Linux according to P0F. This blows past our 
"15 strikes sitewide and you are out" filter.

At this point I am not sure what the risk is. Unlike the normal 
dictionary attacks, which target root, this is trying hundreds of names.
The attacking machines appear to be Linux. I am not sure if they have 
been compromised by this attack itself (guessing passwords), or by some 
other method.

The paranoid might wish to block SSH from offsite.

#!/bin/sh
iptables -I INPUT -p tcp -s syslog.triumf.ca -j ACCEPT
iptables -A INPUT -p tcp -s 142.9.0.0/16 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s your-trusted-host --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22  -j REJECT

seems to work.

Or set "PasswordAuthentication no" in /etc/ssh/sshd_config and restart 
sshd. Which would lock everyone out unless they use a key.


e.g. /var/log/secure

Apr 16 15:24:27 xxxx sshd[25699]: error: PAM: User not known to the underlying 
authentication module for illegal user blithe from 67.159.44.179
Apr 16 15:26:05 xxxx sshd[25706]: error: PAM: User not known to the underlying 
authentication module for illegal user blithe from 77.92.129.178
Apr 16 15:27:38 xxxx sshd[25716]: error: PAM: User not known to the underlying 
authentication module for illegal user blithe from 85.17.201.76
Apr 16 15:29:04 xxxx sshd[25726]: error: PAM: User not known to the underlying 
authentication module for illegal user blithe from 061239249180.ctinets.com
Apr 16 15:30:35 xxxx sshd[25752]: error: PAM: User not known to the underlying 
authentication module for illegal user blodwyn from 220.232.240.148
Apr 16 15:32:19 xxxx sshd[25757]: error: PAM: User not known to the underlying 
authentication module for illegal user blodwyn from 
184.197.221.203-static.velocitynet.com.au
etc.


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

More information about the Triumf-linux-managers mailing list