The Ethical Hacker Network - Recent changes in SSH attacks

Latest Additions

Who's Online

EH-Net News Feeds

Latest Additions

Andrew Waite

Hero Member

Offline

Posts: 857

Recent changes in SSH attacks

« on: December 08, 2008, 06:34:37 AM »

Multiple sources (for example: Arbor networks blog and El Reg ) are reporting changes in SSH brute-force methodology to a distributed platform. I've seen this in my logs and monitoring since October as described by most of the sources, but I don't believe this is a entirely new concept as I saw similar events as far back as 2007.

Most sources are claiming that so far no-one has been able to obtain a copy of the attacking code for analysis. As this is banging on my front door fairly hard despite the protections in place (which are so far holding up well), if anyone gets their hands on a sample I'd appreciate a copy if possible. 'Know your enemy' etc.

My main thought though is; given the increase in DDoS and botnets, why hasn't someone implemented this sooner? And why do people seem surprised by the development?


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

jimbob

Guest

Re: Recent changes in SSH attacks

« Reply #1 on: December 08, 2008, 01:55:42 PM »

I think one of the key reasons for the lack of drive behind SSH brute forcing is the ease of cracking and value of the targets. SSH runs on a large number of platforms, making automated pwnage and subsequent use harder. Own a windows box and you can run your DDoS/botnet tool without any fuss.

I imagine there are worm-like tools out there that exploit SSH, infect and continue scanning. I too would like to get my hands on the code, I find *nix malware a whole lot more interesting than Windows nasties.

Jimbob


	Logged

pseud0

Recruiters
Full Member

Offline

Posts: 204

Re: Recent changes in SSH attacks

« Reply #2 on: December 08, 2008, 05:10:29 PM »

I read through all of these articles as they've been showing up over the last few months, and as a response I started using knockd. Check it out if you haven't seen it. Basically you can set up a "secret knock" for your system before it will open the port in a listening mode. It adds an extra layer of complexity on any bruteforce attack.


	Logged

CISSP, CISM, CISA, GCIH, CEH, HMFIC, KTHXBIROFLCOPTER

Andrew Waite

Hero Member

Offline

Posts: 857

Re: Recent changes in SSH attacks

« Reply #3 on: December 09, 2008, 03:14:48 AM »

Pseud0,

hadn't seen knockd before, although I've come across the general idea before, might have to give it a look.

I run breakinguard, which is a simple automatic blacklisting utility. Worth a look for some general protection, and the reporting (email sent on blocked IP) is how we were alerted to the event originally.


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

Cr@sh

Newbie

Offline

Posts: 5

Re: Recent changes in SSH attacks

« Reply #4 on: December 10, 2008, 08:43:23 AM »

Would this help at all?

http://www.csc.liv.ac.uk/~greg/sshdfilter/

Edit: I realize that this is for mac osX, I didnt know if you guys were refering to Mac or PC


« Last Edit: December 10, 2008, 08:45:07 AM by Cr@sh »	Logged

Andrew Waite

Hero Member

Offline

Posts: 857

Re: Recent changes in SSH attacks

« Reply #5 on: December 10, 2008, 09:42:14 AM »

Cr@sh,

thanks for the link I'll take a look and run some tests. Looking at the sshdfilter it uses the same timed lockout mechanisms present in breakinguard solution. The problem is that the new attack pattern is designed to work around these protections by coming from a large number of distributed hosts, even if you block some of the attempts another source takes over the slack.

Looking at the source of sshdfilter it *should* compile on a Linux OS as well as OS X (Suse is listed in the README file) however there is a precompiled OS X binary available for download to ease installation.