Re: OT: password crackers

There was actually an article about this in the last year.
http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/
This isn't actually "password cracking". These are automated scripts
that sniff around for machines running ssh then go through a
dictionary of usernames and passwords.

It's extremely common, and the threat level is fairly low. I
generally see a few thousand attempts per month. If you've got strong
passwords, ie, 9+ characters, uppercase, lowercase, number, special
characters, it's not that much to worry about.

A couple of suggestions:
Are you behind a NAT router? If not you should be, if this is a home network.
If you are behind a NAT, do you need to ssh in from outside your
network? If not, then don't forward the ssh port (22) internally.
If you do need to shell in from outside, then using an altnernate
port. You can do this one of two ways. If your nat supports port
redirection, then redirect an alternate port (say 2020) to port 22 of
your ssh server. Or you can configure your ssh server to listen on an
alternate port. See /etc/sshd_config. Then just connect using the -p
option to specify the port.

You could also configure your ssh server to not accept password
authentication and to only use ssh keys.

If you get your ipa address from your isp via dhcp, you could refresh
your lease every so often. Many isps give a different ip address each
time you connect. So power cycle the router or re-initiate your pppoe
(if you're on dsl).

Just a few suggestions.

On 2/8/06, Toby Kelsey <toby_kelsey@xxxxxxxxxxxx> wrote:
(Off-topic as it's not Ubuntu-specific, but is relevant to Ubuntu users)
I've just realised there are current password cracking attempts against my home box (breezy).

On Feb 4th at 16:53 I installed openssh-server.
By 10:09 on the 5th I was receiving password-guessing attempts, which produce messages in auth.log like:

Feb 5 10:13:29 localhost sshd[23468]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=202.82.204.250 user=root
Feb 5 10:13:30 localhost sshd[23468]: Failed password for root from 202.82.204.250 port 1566 ssh2
Feb 5 10:13:33 localhost sshd[23470]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=202.82.204.250 user=root
Feb 5 10:13:35 localhost sshd[23470]: Failed password for root from 202.82.204.250 port 1656 ssh2
Feb 5 10:14:22 localhost sshd[23496]: Invalid user test from 202.82.204.250
Feb 5 10:14:32 localhost sshd[23500]: Invalid user admin from 202.82.204.250

Feb 8 06:01:55 localhost sshd[7280]: Failed password for root from 62.113.122.149 port 62900 ssh2
Feb 8 06:01:56 localhost sshd[7283]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=62.113.122.149 user=root

Some of the attempts are with alphabetically ordered usernames from a list,
others repeatedly try root.

The IPs and number of attempts up till now are:

200.222.105.27: 138
202.82.204.250: 1999
210.240.94.2: 59
211.115.81.91: 179
213.145.140.14: 5
218.24.139.109: 16
218.90.165.178: 60
222.235.28.7: 1052
62.113.122.149: 4570 (ongoing)
79.108.100-84.rev.gaoland.net: 41
84.100.108.79: 75
mail.gkps.hlc.edu.tw: 31
wap.ml.kg: 5

I'm worried an attempt might succeed on an automatically generated username.
The users with valid shells in /etc/passwd are:
root daemon bin sys sync games man lp mail news uucp proxy www-data
backup list irc gnats nobody toby zac fetchmail guest backuppc

I have locked passwords for guest, zac, backuppc, fetchmail
The passwords I have set myself (toby, root) are good.

Are any of the other usernames likely to have default or guessable passwords?

Many of the usernames seem unnecessary and may be the result of previous trial
packages installations. Which ones are needed and can I track which packages
are responsible for which ones? When packages are uninstalled is the password
for the relevant account locked?

Is this rate of attack fairly typical?

Is it worth trying to take action against the hosts involved?

Can I easily block specific hosts, or prevent repeated attempts from the same host?

I could just uninstall openssh-server, as I do not need it currently.

Toby

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
If you reply to a message I posted to a mailing list,
and you want me to see your reply, be sure to put my
address in the 'To:', or I might not see the message.

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: Attempt of being hacked -- protection?
    ... Common stuff for people running sshd. ... Nothing to panic over if you have *strong* passwords. ... also limit SSH logins to some non-superuser account, and su or sudo if you ... Move your SSH port to something uncommon. ...
    (comp.os.linux.security)
  • Re: Logging passwords of SSH attacks
    ... No legitimate users will try connecting via SSH on ... port 22, and certainly not over the big bad internet. ... It would be a security nightmare to have the passwords of users being ...
    (Debian-User)
  • Re: Is this normal?
    ... > connection attempts to my sshd during the last month like: ... generate pseudo-random, non-consonent passwords. ... *disable sshv1 and use on ssh v2 ... *You can try running ssh on a non-standard port. ...
    (Security-Basics)
  • Re: Lock out after to many login attempts?
    ... I have strong passwords, but I would rather not have ... I think the last thread about it was "More SSH ... But the scripts ... actually run only against port 22, and you will see no more attempts. ...
    (Fedora)
  • UPDATE Re: rlogin - security question [expanded to smartcard technology]
    ... explinations of ssh etc. ... 0-13-100092-6) with the words "The Official Sun Microsystems Resource ... place root / users cannot set/change passwords. ... > we are required to allow rlogin access to all by means of .rhosts files. ...
    (SunManagers)