1 |
Brian, |
2 |
|
3 |
Once you start using scripts to write to automate firewall rules you give the hackers control of your firewall. In the case of the ssh weak password exploit it's not quite as much of an issue since it requires a three-way handshake before the username is sent. But consider the following: |
4 |
|
5 |
Black hat fires off an NMAP scan using your default gateway as a decoy ip, portsentry shuts down your default gateway and you have now DoS'ed yourself. |
6 |
|
7 |
With your script, a carefully crafted two-pronged attack using a sniffing box and a "noise" box could do the same thing via a login attempt. (Think monkey-in-the-middle). |
8 |
|
9 |
Unlikely? Maybe, maybe not. I'm sure that's what everyone who gets hacked or DoS'ed thinks before it happens. (I know I did.) Clean a couple machines off the server room floor and you start to think differently. |
10 |
|
11 |
Personally, I would let that traffic continue to build up in the logs, and use it as ammo when trying to talk to management about the need for a better security budget. |
12 |
|
13 |
Couldn't hurt. |
14 |
|
15 |
Sjan Evardsson |
16 |
Webmaster |
17 |
Alaska Pacific University |
18 |
|
19 |
BTW - If it is at all possible, block port 22 at your external firewall. Works great for us. If you need to connect from outside the firewall you can always VPN in first. A little more overhead, but worth it for the added layer of security. |
20 |
|
21 |
|
22 |
|
23 |
-----Original Message----- |
24 |
From: Brian G. Peterson [mailto:brian@×××××××××.com] |
25 |
Sent: Sunday, November 07, 2004 4:10 AM |
26 |
To: gentoo-security@l.g.o |
27 |
Subject: help blocking automated ssh scanning attack script |
28 |
|
29 |
I've noticed over the last few months that ssh attack scanning scripts have been proliferating. The scripts attack using a common set of usernames with weak password combinations, and result in a long line of log entries like: |
30 |
|
31 |
Nov 6 17:44:18 ethos sshd[3808]: Illegal user test from 211.185.202.3 Nov 6 23:06:27 ethos sshd[8521]: Illegal user rolo from 222.47.83.41 |
32 |
|
33 |
The common usernames are admin root webmaster data rolo guest test patrick iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51 |
34 |
cip52 sybase oracle mysql master account server henry frank adam george (included here for easier googling on the problem) |
35 |
|
36 |
I use the excellent portsentry to detect and shut down IP's that do traditional nmap-style portscans of my machines. This attack script isn't a port scan, so it just shows up in my security log summaries every morning. |
37 |
|
38 |
Can anyone help me out with a simple log scanning script that could detect the 'illegal user xxx' strings in /var/log/secure and issue the "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these addresses down. |
39 |
|
40 |
The scan volume is up to about two a day on each of my servers, and I'd like to get this crap out of my logs |
41 |
|
42 |
Any assistance appreciated: I and many other people would thank anyone who would whip up a script to block this stuff. |
43 |
|
44 |
Regards, |
45 |
|
46 |
- Brian |
47 |
|
48 |
-- |
49 |
gentoo-security@g.o mailing list |