HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 27 guests online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow Recent changes in SSH attacks
Ethical Hacker Community Forums
January 08, 2009, 03:01:49 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Recent changes in SSH attacks  (Read 1617 times)
0 Members and 1 Guest are viewing this topic.
RoleReversal
Hero Member
*****
Offline Offline

Posts: 507


View Profile WWW
« on: December 08, 2008, 06:34:37 AM »
Multiple sources (for example: Arbor networks  blog and El Reg ) are reporting changes in SSH brute-force methodology to a distributed platform. I've seen this in my logs and monitoring since October as described by most of the sources, but I don't believe this is a entirely new concept as I saw similar events as far back as 2007.

Most sources are claiming that so far no-one has been able to obtain a copy of the attacking code for analysis. As this is banging on my front door fairly hard despite the protections in place (which are so far holding up well), if anyone gets their hands on a sample I'd appreciate a copy if possible. 'Know your enemy' etc.

My main thought though is; given the increase in DDoS and botnets, why hasn't someone implemented this sooner? And why do people seem surprised by the development?
Logged
A little bit of sanity:
http://www.infosanity.co.uk
jimbob
Sr. Member
****
Offline Offline

Posts: 332



View Profile WWW
« Reply #1 on: December 08, 2008, 01:55:42 PM »
I think one of the key reasons for the lack of drive behind SSH brute forcing is the ease of cracking and value of the targets. SSH runs on a large number of platforms, making automated pwnage and subsequent use harder. Own a windows box and you can run your DDoS/botnet tool without any fuss.

I imagine there are worm-like tools out there that exploit SSH, infect and continue scanning. I too would like to get my hands on the code, I find *nix malware a whole lot more interesting than Windows nasties.

Jimbob
Logged
pseud0
Full Member
***
Offline Offline

Posts: 154



View Profile
« Reply #2 on: December 08, 2008, 05:10:29 PM »
I read through all of these articles as they've been showing up over the last few months, and as a response I started using knockd.  Check it out if you haven't seen it.  Basically you can set up a "secret knock" for your system before it will open the port in a listening mode.  It adds an extra layer of complexity on any bruteforce attack.
Logged
CISSP, CISM
RoleReversal
Hero Member
*****
Offline Offline

Posts: 507


View Profile WWW
« Reply #3 on: December 09, 2008, 03:14:48 AM »
Pseud0,

hadn't seen knockd before, although I've come across the general idea before, might have to give it a look.

I run breakinguard, which is a simple automatic blacklisting utility. Worth a look for some general protection, and the reporting (email sent on blocked IP) is how we were alerted to the event originally.
Logged
A little bit of sanity:
http://www.infosanity.co.uk
Cr@sh
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #4 on: December 10, 2008, 08:43:23 AM »
Would this help at all?

http://www.csc.liv.ac.uk/~greg/sshdfilter/

Edit: I realize that this is for mac osX, I didnt know if you guys were refering to Mac or PC
« Last Edit: December 10, 2008, 08:45:07 AM by Cr@sh » Logged
RoleReversal
Hero Member
*****
Offline Offline

Posts: 507


View Profile WWW
« Reply #5 on: December 10, 2008, 09:42:14 AM »
Cr@sh,

thanks for the link I'll take a look and run some tests. Looking at the sshdfilter it uses the same timed lockout mechanisms present in breakinguard solution. The problem is that the new attack pattern is designed to work around these protections by coming from a large number of distributed hosts, even if you block some of the attempts another source takes over the slack.

Looking at the source of sshdfilter it *should* compile on a Linux OS as well as OS X (Suse is listed in the README file) however there is a precompiled OS X binary available for download to ease installation.
Logged
A little bit of sanity:
http://www.infosanity.co.uk
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.046 seconds with 23 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
How many security events including conferences and training do you attend a year:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2009 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.