Nasty brutessh and snort
In late July I started to get a lot of emails via logcheckinforming me of failed single attempts to log into the (disabled) guest account. Probably using a blank password, which was traditionally the access method on Unix servers offering anonymous, and usually restricted, shell logins.
By August these started increasing in frequency, and included a couple of attempts at guessing the root password, which (even on the unlikely chance it was right wouldn’t have worked while the ssh server was set to “PermitRootLogin no“.
Now, in the last few weeks the frequency and number of attempts has increased. It’s just getting stupid. Now more usernames are being checked – not just the standard accounts, but names that look like normal logins:
Oct 2 18:09:47 foobar sshd[15646]: Illegal user adam from x.23.51.222 Oct 2 18:09:50 foobar sshd[15648]: Illegal user alan from x.23.51.222 Oct 2 18:09:53 foobar sshd[15650]: Illegal user frank from x.23.51.222 Oct 2 18:09:56 foobar sshd[15652]: Illegal user george from x.23.51.222 Oct 2 18:09:59 foobar sshd[15654]: Illegal user henry from x.23.51.222 [snip]
The cause seems to have been the release of a cracking tool, brutessh2. Normally I wouldn’t link to something like this – but if you run an ssh server you probably want to check the list of passwords it includes. If your password is there (for shame!) there’s a fairly good reason to believe you’ve been compromised. And if you’re running sshd and you aren’t aware of these password brute force attempts, you should probably investigate why that is.
Now, unlike port scanning (which is, in itself, just rude) brute force password guessing is a clear and obvious attempt at unauthorized access. And it’s not a very subtle one – one or two failed logins will usually get overlooked, but I’m seeing 60+ login attempts within the period of several minutes. If I’m getting frequent alerts and forwarding them on to relevent abuse contact addresses, then surely some others are too?
DShield is listing over 300 distinct sources a day for ssh based attacks (it’s not clear if that includes brute force scanning). Based of the frequency I’m being scanned (and the time taken) verses the number of ssh servers out there, there may be may more out there (maybe it’s that North Korean hacker army). Sure, the number will seem like a drop in the ocean of trojaned and worm-infected windows boxes out there, but these aren’t worms doing the scanning – these scans are coming directly from crackers using their own or (more likely) previously compromised systems. So if you spot these in your logs it’s in everybody’s interest to report the intrusion attempt to the whois-listed abuse contact.
If your network uses Snort then the following rule (via BleedingSnort) should highlight the ssh brute force attempts:
#Submitted by Matt Jonkman
alert tcp any any -> $HOME_NET 22 (
msg:"BLEEDING-EDGE Potential SSH Brute Force Attack";
flow:to_server,established; flags:S;
threshold:type threshold, track by_src, count 5, seconds 60;
classtype:attempted-dos; sid:2001219; rev:4;
)
