Slashdot Mirror
The Low-Intensity, Brute-Force Zombies Are Back
Peter N. M. Hansteen writes "In real life, zombies feed off both weak minds and the weak passwords they choose. When the distributed brute-force attempts stopped abruptly after a couple of months of futile pounding on ssh servers, most of us thought they had seen sense and given up. Now, it seems that they have not; they are back. 'This can only mean that there were enough successful attempts at guessing people's weak passwords in the last round that our unknown perpetrators found it worthwhile to start another round. For all I know they may have been at it all along, probing other parts of the Internet ...' The article has some analysis and links to fresh log data."
Anyone with passwords turned on is not secure IMHO
Been there, done that, paid for the T-shirt
and didn't get it
The odds of them getting into a system like this must be quite low, but I guess they're after the low-hanging fruit. Running your services on a high port rather than the default reduces this, as does disabling password login and using 2-factor authentication. Quite easy to do, and very, very secure.
Is "weakpassword" a weak password? I better change up my server double quick.
...unless they are only attacking from my existing list of blocked IP addresses.
http://michaelsmith.id.au
Sorry, should have posted this with the original. Instructions for Linux 2 factor authentication
...you mean zombie PROGRAMS. Damn.
[puts shotgun down]
Use SSH keys in addition to passwords. Disable ssh root logins. Use the AllowUsers command in sshd_config to restrict what accounts can log in with ssh. Edit /etc/hosts.deny and add IP ranges for where you are unlikely to login from. Use iptables rules to block people who are hammering your ssh server from the same address. Use tools like Fail2ban and DenyHosts to block other abusers and share abuser information with other victims.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Roll out SPA / Port knocking, their IP shouldn't be touching your sensitive ports without a rule, table, or chain specifically allowing access. FORGET THE PASSWORD!
Use a script like denyhosts, and I'm sure there are a ton of others out there that are just as good if not better. Unless your password is weak enough to be guessed in five attempts and the attacker isn't already in the denyhosts list, you shouldn't have to worry about too much. And, most importantly, just peruse your auth logs every now and then, it's not really that big of a chore.
For those already familiar with Peter Hansteen's website, I'll offer a Thumbs Up recommendation for his Book of PF.
There's already been several stories on Slashdot either submitted by or about him, and I don't recall any mention of his book. I'd say his efforts if not his humility deserve some kind of reward, and the reduced sale price of $19.77 is a bargain.
I've used a script to block servers that failed a certain number of attempts along with AllowUsers. That worked well for a couple of years, but was annoying in that you could see the attempts being made and knowing that if you made a config error you could be vulnerable. It seems to me that even after I got several hundred systems in my block list it wasn't making a difference since the pool of zombies was so large.
Now I just use key only access and AuthUsers and feel a lot more secure. I'm thinking I may add a white list of IP addresses as well. That would really lock things down pretty well.
... then there's no need to bruteforce it, and therefore blocking a botnet doing that is futile.
It's security theater.
There are good reason for allowing (private key only) root login, allong with autorized_keys command= directives.
Furthermore password+ssh keys is rather pointless.
This has been going on for years. Really. I've been seeing this crap in my logs since we started running an Internet-facing SSH host nearly ten years ago. It's always the same password based login attempts with the same dictionary/script used in the attacks. This is probably just some training exercise for Chinese hackers at some state-run school to see who can break into the running-dog Yankee Imperialist's computers the fastest.
Sig this!
I've now changed my password from Thomas to ThomasX, where X is a digit that I'm not telling.
Does having a witty signature really indicate normality?
Just checked my auth logs and I'm seeing hundreds of various IPs, some of which are connecting up to 20 times. Definitely a new twist. I'll have to do some poking around to see what kind of machines are doing the probing. ( Is it compromised windows boxes?)
SSH login attempts from hundreds of different IP addresses. Could not get my IT department to block the port at the firewall. It's an old Mac OSX server - thus, why the POS locked up within minutes of the attack starting. Come to think of it, I haven't used SSH for ages. I always ARD into it to administer. CLICK. No more SSH.
At least it made me review my server security. I was way too lax, knowing how little value the data, or even the server itself, has. But the attack itself still annoyed me, so I tightened that bitch up real good (well, as good as you can tighten up an old Mac server).
They were right - the revolution did not get televised. It was posted on YouTube instead. All in 120 characters. SLOOSH!
Be proactive on port 22 as well. At the advice of another comment I saw on /. a year or so ago I'm running a honeypot, with three static ports (one of them 22) and 4 roving ports. Establishing a TCP connection to any of them causes your IP to be instantly added to an iptables blacklist. It's worked pretty well; I've got about 2-3 unique addresses trying per day, and about 294 have been blocked since mid-December 2008. It takes care of both port scanners and bots deliberately connecting in order to try and get root on my server.
Of course, the only way to get root on the server anyway is through a Yubikey OTP or the 64-character randomly generated password I have on an encrypted partition somewhere in case my Yubikey is ever fried/stolen/lost.
Always these stories about zombies dossing this or bruteforcing that, but never a hint as to where these zombies came from, who they are, etc. You'd think that if you can see them in your logs that easily, it should be possible for their isps to see them as well, or else someone could inform them. Why aren't isps sending zombie customers a letter a la "please clean your machine, or we'll shut down your connection". Is it just that they can't reap profits from the customer anymore? In that case, why don't we just blacklist all isps who refuse to terminate zombies?
While it's true there are a variety of techniques that can increase security, I've found simply moving to a new high-numbered port eliminates all random login attempts. Yes, security through obscurity is all it's cracked up to be, but for now, I've eliminated the problem with a pretty quick fix.
I simply use the tarpit xtables module from http://xtables-addons.sourceforge.net/. It holds the connection open consuming resources per x connection initiated by the zombified machine.
In this particular attack after 'root' and 'admin' has been tried, the zombies try 'james' which is the most common first name in the united-states, then they run an alphabetical list of only first names. (as per the article)
Sample:
http://www.bsdly.net/~peter/slowbrutes.all.txt
These zombies are seeking out accounts that are the most likely to have high up privileges.
Since people tend to prefer usernames that reflect their own in some way, and are easy to remember, your first name is probably your most preferred.
And following that, the only chance you really get at using your first name is probably on one that you own.
If you own it, you're most likely to have privileges that exceed other users on your system.
There sure are a lot of people who didn't bother to read the article.
The point of these attacks are that it's a coordinated botnet attack. Meaning if you block any single IP, or even a large subnet, you've cost the attacker nothing. Fail2ban, denyhosts, all of these won't even slow these attacks down.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
last post!
Do you even lift?
These aren't the 'roids you're looking for.
Think of cutting the space into several (2) pieces. Round one we attact piece 1, round 2 we can skip piece 1 and attack piece 2 and round 3 we can skip 1 and 2 and attack only 3.
It is good to check what they are attacking before we urge everyone to choose a hard password.
An easy method to out-smart them that has been mentioned before is to simply change the SSH port.
Once again, we have a built in linux goody which helps us out;
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --set --name sshattack --rsource
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --rcheck --seconds 300 --hitcount 3 --name sshattack --rsource -j LOG --log-prefix "SSH Drop: "
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --rcheck --seconds 300 --hitcount 3 --name sshattack --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
The above allows three connections in a 5 minute period to port 22. After that it rejects any further connection attempts until the 5 minute timer is up.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Likewise - I use fail2ban with iptables to drop any packets from someone who fails auth about 5 times in a few minutes. I've toyed with the idea of adding them to a global blacklist for all servers in all locations, but in reality this solution works just fine.
If you RTFA, they tell you that these attacks are coming from different machines, presumably so they don't trip such things as fail2ban et al.
Looking at the logs he supplied, this is a _very_ slow attack, the attempts are many seconds, or even minutes apart. You would have to have a very guessable username / password combination for it to work.
I would comment though that I'm not seeing anything like this attack in my logs. I personally use IPTables rules (using hashlimits) to limit 1 connection / IP per minute to my ssh ports. Typically, I see about 3-6 attempts per day (each only gets 1 or 2 tries before they get blocked). Doing an optical integration of my recent logs shows less than a dozen per day and they are not concentrating on any particular username (with the exception of root).
Prior to using hashlimits, I used to get hundreds or even thousands of attempts per day. My record was over 6,000 attempts from a single host. One guy at work has reported over 30,000 attempts in a single day.
I personally don't like the concept of fail2ban as it is permanently adding an IP address to your banned list. As most of these IPs are dynamic, keeping them in your banned list isn't really serving any useful purpose. I personally prefer a system that temporarily bans an IP.
Ever stop to think
And here I thought this would be about zombies trying to scratch through my door or eat my cats- you know, in a really laid back, maybe give up and come back later kinda way. what a let down.
I get about 5 of these a day, on a relatively small site. I wrote a small shell script out of sheer boredom that parses hosts.deny and gives me country and hostname info. Here's the output from the past week or so. It seems to confirm that most of these are from public isps overseas.
117.21.249.75 CN, China
121.166.163.142 KR, Korea, Republic of
122.128.36.3 KR, Korea, Republic of
189.19.245.182 BR, Brazil 189-19-245-182.dsl.telesp.net.br.
200.111.157.187 CL, Chile
201.6.124.155 BR, Brazil c9067c9b.static.spo.virtua.com.br.
202.229.120.74 JP, Japan
203.125.51.23 SG, Singapore
207.5.149.188 US, United States 149-188.suscom-maine.net.
211.87.224.190 CN, China
211.99.203.168 CN, China
216.164.162.155 US, United States 216-164-162-155.pa.subnet.cable.rcn.com.
217.219.67.86 IR, Iran, Islamic Republic of
218.241.177.241 CN, China
219.121.10.35 JP, Japan m010035.ppp.asahi-net.or.jp.
221.3.131.110 CN, China
61.184.136.164 CN, China
61.191.53.99 CN, China 99.53.191.61.broad.static.hf.ah.cndata.com.
77.79.88.247 TR, Turkey reverse-77-79-88-247.grid.com.tr.
80.179.149.122 IL, Israel 122.sharatim.co.il.
82.165.27.220 DE, Germany p15173261.pureserver.info.
83.19.20.66 PL, Poland byq66.internetdsl.tpnet.pl.
84.53.78.183 NL, Netherlands 84-53-78-183.wxdsl.nl.
87.197.110.47 SK, Slovakia static-dsl-47.87-197-110.telecom.sk.
99.53.191.61 --, N/A adsl-99-53-191-61.dsl.mtry01.sbcglobal.net.
200.219.194.74 BR, Brazil static.200.219.194.74.datacenter1.com.br.
202.190.177.144 MY, Malaysia
164.77.195.60 CL, Chile
89.119.5.106 IT, Italy 89-119-5-106-static.albacom.net.
221.154.206.233 KR, Korea, Republic of
218.208.91.111 MY, Malaysia
65.120.74.22 US, United States
210.185.64.195 AU, Australia 210-185-64-195.intrapower.net.au.
202.168.58.111 AU, Australia 111.58.168.202.static.comindico.com.au.
85.25.71.36 DE, Germany loft1551.serverloft.de.
193.136.39.26 PT, Portugal genid.dcc.fc.up.pt.
150.146.40.173 IT, Italy mspasiano.cedrc.cnr.it.
221.194.128.66 CN, China
82.135.192.72 LT, Lithuania 82-135-192-72.static.zebra.lt.
80.10.250.17 FR, France
207.28.220.1 US, United States voyager.iavalley.cc.ia.us.
164.77.208.198 CL, Chile
38.107.141.131 US, United States host-38-107-141-131.mtl.net.vexxhost.com.
222.218.156.41 CN, China
I had to re-install one of those low hanging fruit which was taken over via a dictionary attack about four years ago. /etc (system configuration files) and who knows where else so that any user on the system could change them (this guy loves "chmod 777" - lets anybody do anything to the file). Then a user changed their complicated initial password to "coffee", which required the same guy to help since the system rejected such simple passwords. To make things worse the username with that password is a very common girls name. The next step, which is where I failed, was the guy looking after the machine (who should have done nothing other than add new users and edit the very simple plain HTML web pages) asked for ssh access so he could work from home, but he didn't know what the IP address would be. I gave him a hole in the firewall to get to what used to be a fairly secure box, and a few days noticed the thing appeared to be scanning ports all over the place on a Friday afternoon, and it did a few other odd things (ps and grep had been obviously altered) which meant pulling the plug. From looking at the disk afterwards it looked like somebody got in via dictionary attack and once they were in the permissions were such that they could do just about anything they wanted and the thing was rooted. Maybe they built some lkm thing on there with the compiler or just ran a rootkit, it's hard to tell athough "/etc/init.d/functions" had weird stuff in there to start up all kinds of things. Obviously you never even let something like that even do a clean shutdown - you pull the plug and make sure nobody gets a chance to put the disk in another system without knowing what they are doing (read only, no exec). Luckily it didn't take that long to rebuild the thing (new disk, even different media since an upgrade had come out and this time I set up sudo for the guy using it) but I prefer to do other things on weekends, especially when a school reunion was on that weekend. On Monday the users had to all choose new passwords and the "chmod 777" guy was shown a lot of things starting with how easy it is tell ssh to only let in specific users and how to use "sudo" instead of changing permissions everywhere.
For some reason the guy that was looking after what should have been a simple mail server and incredibly basic web server decided to change things so that everyone with a mailbox had shell access. Then he put a compiler on there. Then, sick of having to "su" all the time he changed the permissions of everything in
To sum up - it only takes a few incredibly stupid actions to add up to low hanging fruit.
I know the way to do this to allow only those specific users that need ssh access (one or two in the above case - and never root on an external facing box), use keys instead of passwords, and only accept connections from the IP addresses that legitimate users will be on. None of those things are difficult. The above example shows what can happen with a far too relaxed approach.
I was having similar brute force attacks.
I've made some alterations to protect my server from brute force SSH attempts.
1) Moved SSH to another random port
2) Bound the SSHD to an IP address that is not used for Web/Mail/FTP, etc.. So the IP should generally see less traffic
3) Disable Password Authentication, Users who are given SSH access must use a password protected key file
4) Disabled Root SSH Login
5) Setup the system that 3 failed logins add the entire IP Subnet(X.X.X.0-X.X.X.255) for 15 minutes, 5 failed attempts 1 week, anything else is a never ending ban. (iptables and hosts.deny, just in case)
Im really impressed by pam_abl. It covers every pam enabled service so smart password guessers which may traverse between protocols will be covered as well. It's configurable as to how to handle guesses from hosts as well as users.
I'm using fail2ban and it configurably allows you to set how long you want to ban, and permanently isn't the default.
You must be thinking of some other tool
Will they be in town all week? Can we still get tickets?
Cthulhu for President! Why settle for the lesser evil?
.. what's your Zombie plan?
Fail2ban is actually configurable and temporary. Personally I've set it up to ban for an hour after 3 failed attempts. In the past this stopped most bots, who would go elsewhere if they were even temporarily banned. It looks like this new one is slow enough (<1 attempt/hr) that my current settings don't detect it. Of course, guessing username+password that way it'll take forever to get in, but it is kind of irksome.
There's no reason to assume this has any significant returns. I'd assume, rather, that the botnet herders occasionally find themselves with nothing better to do, so they just run this stuff in idle cycles. No real logic to it, they just have a botnet that isn't currently useful for anything else. And a .0001% chance of getting something is better than 0%, since it costs them very little if they've already written the requisite brute-force code.
Mine is:
1) No passwords for SSH. At all.
2) SSH keys that require passphrase authentication.
3) SSH on a high port.
That's it! No issues, that I'm aware of...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Is it possible to block/ban morpheusf*ck*ngscanner and the south american one, diavalo iirc, in iptables by examining the first log line for the names of the scanner (the same text that pops up in each log line every hit) or similar phrase, and writing a temporary or permanant logdrop rule for the specific ip so iptables is updated immediately after the first log line/port scanned instead of allowing a couple dozen or more attempts from these scanners/bots? I'd like to do this in iptables instead of denyhosts or fail2ban if possible
Also, when adding a rule to iptables that's already entered in a system that is live, what's the syntax so that the rule is added to the bottom of the ruleset? For example, if I have a long list of ip addresses that have single "logdrop" rules, and I want to add, ie: 10.0.0.8 (let's make believe it's a public ip) to the _bottom_ of the iptable ruleset, what's the syntax? Otherwise adding it to the text file, saving/exiting, then re-running the file as an executable that flushes the rules and then adds in the new ruleset takes time/isn't immediate, especially with large rulesets that take time to load completely on slower systems.
I forgot to install denyhosts when I 'up'graded to F11 on Friday!
Leela: "Is all the work done by children?" Alien: "No, not the whipping."
MOD UP, it's the only way to be sure.
Obviously ssh should be off by default. Many people use a different port for ssh, as long as you understand that that is security trough obscurity, that is fine. It is not a real option if your system is a multi user system. Imagine if each webserver on the internet ran on a random port. Not very nice.
So then you must ask yourself if everybody in the whole world is allowed to run ssh to you or just a few.
You can already use your hosts.allow to block many and allow other IP adresses.
Then you can ask yourself if each user is allowed to connect by ssh or not and use AllowGroups or DenyGroups to give access. (or AllowUsers and DenyUsers)
I can not put my ssh on a different port, as I am sometimes in places where only that port will work. I have ssh also running on port 80 and 443, as sometimes only those work. Next to that I use blockhosts which blocks IPs after 3 attempts and is very easy to use as described here.
So with all this, I have the following possible restrictions and they can be all used or none or in any combination.
1) Access on a different port.
2) Access only from certain IP adresses or ranges
3) Allow access only for certain users
4) Block the IP after a certain amount of failed attempts
2)
Don't fight for your country, if your country does not fight for you.
I personally don't like the concept of fail2ban as it is permanently adding an IP address to your banned list. As most of these IPs are dynamic, keeping them in your banned list isn't really serving any useful purpose. I personally prefer a system that temporarily bans an IP.
fail2ban temporarily bans IPs. It removes them after a configurable time limit.
BRAINS! MORE BRRRAINS! Shotguns, man. we need shotguns. Shoot those infected servers dead fast! They are after your goddamned brains!
it's compromised.
And having to type a password too often is not added security, because it only adds minimal, easily circumvented security in the rare case where you're already fucked, but it annoys the hell out of users *all* the time, causing them to have unsafe practices.
Good luck with that.
Any SSH attempt on my server generates an automatic abuse EMAIL to the offender's server and the upstream provider.
I generally get a 70% reply rate on my email from system admins saying that thanks to the notification they have found and patched the trojan responsible.
If enough of us would run this script then any such future attack would generate enough email notifications to all responsible admins then all ssh bots will be cleansed in a couple of attacks.
Read about and get my script from here: http://panthersoftware.com/articles/view/5
For all I know they may have been at it all along, probing other parts of the Internet
I don't think so, my firewall has many public adresses in distant subnets, and I've seen the exact same patterns as the OP.
So my (informed) guess is that's actually a second run.
Maybe that's redundant, but "james" has tried 7500 times in the last 5 days to login to a machine that neither allows password authentication, nor has a user named "james".
Something is broken on their end.
My ftp on my server got hit with over 45MB of logs of brute force attacks to my ftp server, none however got in, and the logs pointed to dedicated servers being hosted by OnRamp and Leaseweb, in Amsterdam and Ohio.
"IMHO if the passwords are strong enough there is nothing to worry about"
The problem is that most users are not capable of choosing a strong password. Even when you try to enforce policies about minimum password strength, users will manage to choose weak passwords; aside from the world's most common password (password1), there are plenty of people who use their own username as a password -- and requiring non-alphanumeric symbols won't stop them: jane123 will just becomes j@ne123. Minimum password lengths won't do it either, since the users will either write their password down (not an issue for botnets, but certainly an issue for high profile targets) or just come up with something that is easily guessed (abc123abc123).
Public key authentication is better but not by much. The real issue with it is that users do things like not having a passphrase for their private key (which is even more convenient than a weak password) and making copies of that key everywhere that they want to log in from (some might even carry the key around on a thumb drive). Public key authentication will solve the problem of distributed brute force attacks, but it does not really solve the problem of users having their accounts compromised by a determined adversary.
Assuming that your system is high profile enough to be worth the expense, you would really want to use a one-time password device. If the device is stolen, you have a problem, but beyond that there is not much an adversary can do. You can even mitigate the problem by requiring check-ins -- a user must login at a certain time, so if their device was stolen they will be forced to call helpdesk and report the problem.
Of course, it really depends on your security needs. None of the systems I administrate are high profile enough that I am worried about anything other than a distributed brute force attack, so public key authentication is good enough (an attacker who wanted to take over some Linux servers for his nefarious deeds could find an easier target with equal computing power, and the data on the disks is just academic research which will be published anyway).
Palm trees and 8
http://shimmer.sourceforge.net/
Adds another layer of security if you've got SSH running.
Not a member of the General Public
Some years ago, I worked for a partner of a then-enormous national ISP that shall remain unnamed, but its initials are AOL. At one point, I had access to a large list of usernames and passwords of their users. Out of curiosity, I performed a statistical analysis of the data and discovered, to my not very large surprise, that about 20% -- I forget the exact figure -- had passwords that were either "password", "secret", or their username. In other words, if you know one of their usernames, you have a roughly one-in-five chance of being able to compromise their account. (You'll have to take my word for this, since AOL users are a lot harder to come by now than they were five years ago.)
One would hope that people with actual ssh accounts would be smarter, but I frankly doubt it. This being the case, the wise administrator will require strong passwords. Even otherwise smart (i.e., non-AOL) users can be amazingly clueless about basic computer security.
Proud member of the Weirdo-American community.
And forcing users to go through hoops for a negligeable gain in security is worse than nothing.
One thing I don't understand well is the idea that admins must disable root's ability to login remotely via SSH. Could you explain your reasoning? (I'm not being sarcastic, I'm curious...and I don't know any linux admins other than myself with which to discuss the topic)
I can understand it via FTP, but SSH is different. You see, I would imagine that any proper admin has a wicked long password, where most users have a relatively short password, thus introducing a weak point. If a user has a relatively easy username and password combination, an attacker could gain access to a server. Once in, the attacker can spend all day attempting to su as root, bypassing any potential brute force blocking measures via IPTables.
Is it theorized that an attacker would be less likely to guess a proper username? Thus, making any user's password more secure by a few orders of magnitude? Or is it just the fact that you can let someone run literally forever attempting to crack root, but won't be able to?
Personally, I subscribe to the "put ssh on a different port" and have a long password school of thought. 99% of all regular users don't need ssh, so, they won't be inconvenienced by a non-default port, and if they do, it's easy to pre-program their ssh client to save the proper port. Furthermore, I'd say a 20 character password is enough to essentially take "forever" to crack...unless of course, there's some hash collision that will exist with a smaller set of characters...which is not likely, right?
I used to have thousands of FTP brute force attemps daily. I threw in some IPTables rules, cutting off an IP after 6 attempts (stupid IE connects 4 times per actual "human" login attempt! Yes, 3 to try "anonymous" then it prompts the user for u/p combo, and tries that!!!). My bandwidth usage went down, and my logs aren't hideous anymore.
These are my Favorite type zombies... much more fun to take down. the new breads are not nearly as fun.
:)
Too vicious, too fast, communicate with other zombies...
We need more dumb, slow, possibly confused zombies.
This is not so scary: we now have zombies that gnibble instead of naw... But, will they goo "huuh huhhh", or "RAHRRR"?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
i used to see crackers requesting this kind of help all the time on irc... 'hack' groups go and 'root' servers its for ddos power, irc based filesharing, irc spaming, and email spam. most of the truly good ones can get superuser access from any local account.
my server has the same thing hitting it, but im the only one allowed to access said server so blocking it was easy. using logwatch i notice it start up 4 days after my server was placed online. easy way to counter this attack is to denyhost for 10 failed attempts in the past 11 days. since i have a insane password (random shit) i just started ssh-key'ing in and the slow way would still get blocked and sent to the sync servers
In real life, zombies feed off (...) weak minds... - Are you sure? I always thought they ate brains...