Slashdot Mirror

← Back to Stories (view on slashdot.org)

The "Hail Mary Cloud" Is Growing

Posted by Soulskill on from the like-a-zombie-chia-pet dept.

badger.foo writes "The Australian rickrolling of jailbroken iPhones only goes to prove that bad passwords are bad for you, Peter Hansteen points out, as he reports on the further exploits of the password-guessing Hail Mary Cloud (which we've discussed in the past). The article contains log data that could indicate that the cloud of distributed, password-guessing hosts is growing. 'With 1767 hosts in the current sample it is likely that we have a cloud of at least several thousand, and most likely no single guessing host in the cloud ever gets around to contacting every host in the target list. The busier your SSH deamon is with normal traffic, the harder it will be to detect the footprint of Hail Mary activity, and likely a lot of this goes undetected.'"

5 of 102 comments (clear)

  1. Re:Put in denyhosts... by Anonymous Coward · · Score: 5, Informative

    Denyhosts will *not* protect you from Hail Mary. Read the article...this particular botnet may send you only a single login from a single IP, but the cloud as a whole will send you hundreds of attempts.
    The correct solution is to disable password login, and use pubkey auth instead.

  2. Re:Put in denyhosts... by MrMr · · Score: 4, Informative

    Put the trusted host in hosts.allow, and it won't be locked out accidentally.
    or fix your filesystem clients.

  3. Re:Put in denyhosts... by jimicus · · Score: 5, Informative

    Very true, but it'll only keep out an absolute moron. Anyone with half a brain will use a distributed mechanism, which means DenyHosts will only see failed password attempts from a given host a few times.

    There's plenty more to do:

    - Don't allow root logins via SSH, or limit them to key-based logins (trivially easy in /etc/ssh/sshd.conf)
    - Disable shell accounts unless they're really needed. rssh is useful here - limit what a user with SSH login authority can do.
    - Lock down other services. What good does DenyHosts do you if SSH and a separate app which can't be locked with DenyHosts both use the same password mechanism?
    - Lock accounts which have more than N failed logins. (Though if you've centralised logins such as in the above example, it'd probably be better to do this from whatever system deals with the authentication, eg. LDAP).

  4. Re:Put in denyhosts... by Predius · · Score: 5, Informative

    The nice thing about denyhosts is you can participate in the global shared DB, so one failed login on your machine, one on mine, etc, we all report the same IP, it gets flagged in the global DB, so we all block it. Machines that IP hasn't hit now won't allow login attempts from it.

  5. Re:Put in denyhosts... by jofer · · Score: 4, Informative

    Denyhosts isn't security through obscurity in any way.

    It just monitors /var/log/messages (or wherever your sshd is configured to log to) and blocks ip addresses with multiple failed logins.

    I think you're thinking of port knocking, which is security though obscurity, though it's still damned useful.