Gentoo Archives: gentoo-security

From: Sjan Evardsson <sjan_e@×××××××××××××.edu>
To: "Brian G. Peterson" <brian@×××××××××.com>, gentoo-security@l.g.o
Subject: [gentoo-security] RE: help blocking automated ssh scanning attack script
Date: Mon, 08 Nov 2004 16:49:23
1 Brian,
3 Once you start using scripts to write to automate firewall rules you give the hackers control of your firewall. In the case of the ssh weak password exploit it's not quite as much of an issue since it requires a three-way handshake before the username is sent. But consider the following:
5 Black hat fires off an NMAP scan using your default gateway as a decoy ip, portsentry shuts down your default gateway and you have now DoS'ed yourself.
7 With your script, a carefully crafted two-pronged attack using a sniffing box and a "noise" box could do the same thing via a login attempt. (Think monkey-in-the-middle).
9 Unlikely? Maybe, maybe not. I'm sure that's what everyone who gets hacked or DoS'ed thinks before it happens. (I know I did.) Clean a couple machines off the server room floor and you start to think differently.
11 Personally, I would let that traffic continue to build up in the logs, and use it as ammo when trying to talk to management about the need for a better security budget.
13 Couldn't hurt.
15 Sjan Evardsson
16 Webmaster
17 Alaska Pacific University
19 BTW - If it is at all possible, block port 22 at your external firewall. Works great for us. If you need to connect from outside the firewall you can always VPN in first. A little more overhead, but worth it for the added layer of security.
23 -----Original Message-----
24 From: Brian G. Peterson [mailto:brian@×××××××××.com]
25 Sent: Sunday, November 07, 2004 4:10 AM
26 To: gentoo-security@l.g.o
27 Subject: help blocking automated ssh scanning attack script
29 I've noticed over the last few months that ssh attack scanning scripts have been proliferating. The scripts attack using a common set of usernames with weak password combinations, and result in a long line of log entries like:
31 Nov  6 17:44:18 ethos sshd[3808]: Illegal user test from Nov  6 23:06:27 ethos sshd[8521]: Illegal user rolo from
33 The common usernames are admin root webmaster data rolo guest test patrick iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51
34 cip52 sybase oracle mysql master account server henry frank adam george (included here for easier googling on the problem)
36 I use the excellent portsentry to detect and shut down IP's that do traditional nmap-style portscans of my machines. This attack script isn't a port scan, so it just shows up in my security log summaries every morning.
38 Can anyone help me out with a simple log scanning script that could detect the 'illegal user xxx' strings in /var/log/secure and issue the "/sbin/iptables -I INPUT -s -j DROP" command to shut these addresses down.
40 The scan volume is up to about two a day on each of my servers, and I'd like to get this crap out of my logs
42 Any assistance appreciated: I and many other people would thank anyone who would whip up a script to block this stuff.
44 Regards,
46 - Brian
48 --
49 gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] RE: help blocking automated ssh scanning attack script William Yang <wyang@××××.net>