Hi,
Is there a security problem with ssh that I've missed???
Ik keep getting these hords of:
Failed password for root from 69.242.5.195 port 39239 ssh2
with all kinds of different source addresses.
They have a shot or 15 and then they are of again, but a little later on
they're back and keep clogging my logs.
Is there a "easy" way of getting these ip-numbers added to the
blocking-list of ipfw??
Thanx,
--WjW
i have the same problem and they also try the users test and admin which doesnt even exist and its alot every day sorry willem just sent it to you earlier not used to gmail that much :) On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote:> Hi, > > Is there a security problem with ssh that I've missed??? > Ik keep getting these hords of: > Failed password for root from 69.242.5.195 port 39239 ssh2 > with all kinds of different source addresses. > > They have a shot or 15 and then they are of again, but a little later on > they're back and keep clogging my logs. > Is there a "easy" way of getting these ip-numbers added to the > blocking-list of ipfw?? > > Thanx, > --WjW > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote:> Hi, > > Is there a security problem with ssh that I've missed??? > Ik keep getting these hords of: Failed password for root from > 69.242.5.195 port 39239 ssh2 > with all kinds of different source addresses. > > They have a shot or 15 and then they are of again, but a little later > on they're back and keep clogging my logs. > Is there a "easy" way of getting these ip-numbers added to the > blocking-list of ipfw??not a ssh related problem, it's just a brute force attack, I'm experiencing this on every servers I have, more than 10 times a day. I'm really thinking about releasing the list of attackers IP to the public. As far as I know, it's a pack of compromised machines. patpro
as ive read this is an attack from some kiddie trying to build a floodnet. records show that most of the compromised boxes are linux machines which end up having suckit rootkit and an energymech installed on them, i dont know if the attacker has ever gotten into a freebsd machine and what they'd do if they did. On my machines i have a dummy shell which APPEARS to be a successful login but just returns weird errors (such a "Segmentation Fault") or bad data for all commands that are issued, while also logging their commands. im tempted to put this on the 'test' account and let them in on this shell to see what is attempted. just to clarify, if i did such a thing theres no way for them to break out of the shell, right? its a simple perl script, so if the perl script ends, theyre logged off? This is what i expect to happen however i don't want to risk it unless its 100% safe... And just to clarify again all commands that are issued from this fake shell never reach the REAL os, even "uname" returns a redhat 7.2 string when the real machine is actually freebsd 5... Thanks, Craig>On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote: > >> Hi, >> >> Is there a security problem with ssh that I've missed??? >> Ik keep getting these hords of: Failed password for root from >> 69.242.5.195 port 39239 ssh2 >> with all kinds of different source addresses. >> >> They have a shot or 15 and then they are of again, but a little later >> on they're back and keep clogging my logs. >> Is there a "easy" way of getting these ip-numbers added to the >> blocking-list of ipfw?? > > >not a ssh related problem, it's just a brute force attack, I'm >experiencing this on every servers I have, more than 10 times a day. >I'm really thinking about releasing the list of attackers IP to the >public. As far as I know, it's a pack of compromised machines. > >patpro > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
> as ive read this is an attack from some kiddie trying to build a floodnet.One really dosent want to exposed root to the Internet either via SSH. Please Consider adding a user(s) that need root to a user acct, open SSH for them, then consider su or sudo from there. Michael
On Sat, 18 Sep 2004 14:18:32 +0200 Willem Jan Withagen <wjw@withagen.nl> wrote: | Hi, | | Is there a security problem with ssh that I've missed??? | Ik keep getting these hords of: | Failed password for root from 69.242.5.195 port 39239 ssh2 | with all kinds of different source addresses. FYI, the past month there were a couple of (quite long) threads on this thing on bugtraq and incidents @securityfocus. It seems to be some worm that scans for weak passwords, someone on incidents published a webpage on this stuff here: http://www.jaenicke.org/sk/ with the binaries used and an irc log chatting with one of the kiddies. The sources seems to mainly be cracked boxes with, aemh... blank root passwords. (everytime I read the previous 3 words together I shudder, apologies if they have the same effect on you :) | they're back and keep clogging my logs. | Is there a "easy" way of getting these ip-numbers added to the | blocking-list of ipfw?? I've just moved the public port of the sshd on another port, quite lame but at least I'm not bothered by worms :) HTH Frankye -- Frankye Fattarelli |U| |P| |S|F| frankye.DIESPAMMERSDIE@ipv5.net |R| |S| |Y|I| this email is RFC 3514 compliant |G| |H| |N|N|
eurgh.... blank root passwords... (shudder) i stick with the standard of only one user being able to su to root, direct root logins being disabled, and deleting my toor account unless it is needed...>The sources seems to mainly be cracked boxes with, aemh... blank root >passwords. >(everytime I read the previous 3 words together I shudder, apologies if >they have the same effect on you :) > >| they're back and keep clogging my logs. >| Is there a "easy" way of getting these ip-numbers added to the >| blocking-list of ipfw?? >
On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote:> Hi, > > Is there a security problem with ssh that I've missed??? > Ik keep getting these hords of: > Failed password for root from 69.242.5.195 port 39239 ssh2 > with all kinds of different source addresses. > > They have a shot or 15 and then they are of again, but a little later on > they're back and keep clogging my logs. > Is there a "easy" way of getting these ip-numbers added to the > blocking-list of ipfw?? > > Thanx, > --WjWwell you want to see those. So long as you have PermitRootLogin no in your /etc/ssh/sshd_config, they won't be able to get in since ssh is then denied for root (except via a valid ssh key which you can further lock down by adding from="ip.addr, forward.dns.record.of.host" to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) A better solution to the verbosity level would probably be to change your kernel config to have something like options IPFIREWALL_VERBOSE_LIMIT=3 or using the sysctl.conf oid net.inet.ip.fw.verbose_limit=3 Then you can still see the attempts (and thus log the IP information for contacting the abuse@ for the responsible IP controller) while limiting your log sizes. -- David D.W. Downey
Dear all!
There is possibility that someone
makes fake tide of IP addresses,
just to hide his own. If the list
is long enough, that IP could be
even not logged. If the packets
are "syn", IPs you answer don't
exist, you have syn flood and death
of the server. However, only total
idiot would make such kind of attack.
Everybody knows he is trying some-
thing. Suspect "script kid". Little
joke with your server and you have
a lot of job to do.
Just be aware not to open new gate
for another kind of attack. Human is
the wickiest part of chain.
Best regards
ZK