[tlug] attack via ssh? (don't panic :-P)

["Stephen J. Turnbull" <stephen@example.com>]

I just noticed a godzillion of these in the logs on a recently installed
but as yet unused box (took a while to find the ipf pages on NetBSD
;-):

sshd[15304]: Illegal user stephanie from 217.13.10.212
sshd[15304]: error: Could not get shadow information for NOUSER
sshd[15304]: Failed password for illegal user stephanie from 217.13.10.212 port 49443 ssh2
sshd[15306]: Failed password for root from 217.13.10.212 port 49547 ssh2

(about 700 lines worth for the most persistent mofo).  So I checked
the logs on my Linux boxen, and the same jerks are hammering on those
doors too (except there I send them an ICMP port-not-available by
return mail, so there's no attempt to log in permitted, I'm just
seeing logs of SYN packets).

Anybody know what's going on here?  I guess it's just a "transitive
trust" attack using passwords from cracked boxes?  What's worrysome is
that it's a different source address every time, and I'm getting hit
every day, sometimes four or five times; I gotta wonder if they're
actually successfully cracking that many boxes.

Ah ... BTW, if you're using iptables (kernels 2.4 and up), here's a
recipe to log and reject these suckers:

iptables -A INPUT -p tcp --syn --dport 22 -j LOG    -s x.y.z.w/#bits -d a.b.c.d
iptables -A INPUT -p tcp       --dport 22 -j ACCEPT -s x.y.z.w/#bits -d a.b.c.d
iptables -A INPUT -p tcp       --dport 22 -j LOG
iptables -A INPUT -p tcp       --dport 22 -j REJECT

where a.b.c.d is the address of the host you're protecting, x.y.z.w is
the address of a network you want to permit (eg, your ADSL ISP if
a.b.c.d is at work), and #bits is the number of high bits in the
network address that are significant (eg, a class C net would be /24,
such as 192.168.1.0/24).  N.B.  If you're currently logged in over the
net when you do this, make sure you wire the ACCEPT _before_ the
REJECT, or you'll get cut off.  Also, the --syn in the LOG rule
limits logs to attempts to establish a connection, so you won't get
every packet you SCP logged.  :-)  You can repeat the first two rules
with different networks if your ISP has a bunch.

Note that there's no guarantee somebody in your ISP's range(s) won't
get owned, but that's somewhat less likely than somebody somewhere on
the Internet getting owned!

On my box, the logged packets go to syslog; YMMV.

Also, it may be a good idea to disable password logins via ssh on
net-facing boxen.  In sshd2_config

	AllowedAuthentications		publickey

(ie, passwd is NOT in allowed authentications).

I would say that (unless you've got remarkably popular password for
one of the account names in the list) there's not much to worry about,
but ssh auth failures do fill up the logs in an annoying fashion....

-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.