.

Recent changes in SSH attacks

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Dec 08, 2008 7:34 am

Recent changes in SSH attacks

Multiple sources (for example: Arbor networks blog and El Reg) are reporting changes in SSH brute-force methodology to a distributed platform. I've seen this in my logs and monitoring since October as described by most of the sources, but I don't believe this is a entirely new concept as I saw similar events as far back as 2007.

Most sources are claiming that so far no-one has been able to obtain a copy of the attacking code for analysis. As this is banging on my front door fairly hard despite the protections in place (which are so far holding up well), if anyone gets their hands on a sample I'd appreciate a copy if possible. 'Know your enemy' etc.

My main thought though is; given the increase in DDoS and botnets, why hasn't someone implemented this sooner? And why do people seem surprised by the development?
<<

jimbob

Post Mon Dec 08, 2008 2:55 pm

Re: Recent changes in SSH attacks

I think one of the key reasons for the lack of drive behind SSH brute forcing is the ease of cracking and value of the targets. SSH runs on a large number of platforms, making automated pwnage and subsequent use harder. Own a windows box and you can run your DDoS/botnet tool without any fuss.

I imagine there are worm-like tools out there that exploit SSH, infect and continue scanning. I too would like to get my hands on the code, I find *nix malware a whole lot more interesting than Windows nasties.

Jimbob
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Mon Dec 08, 2008 6:10 pm

Re: Recent changes in SSH attacks

I read through all of these articles as they've been showing up over the last few months, and as a response I started using knockd.  Check it out if you haven't seen it.  Basically you can set up a "secret knock" for your system before it will open the port in a listening mode.  It adds an extra layer of complexity on any bruteforce attack.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Dec 09, 2008 4:14 am

Re: Recent changes in SSH attacks

Pseud0,

hadn't seen knockd before, although I've come across the general idea before, might have to give it a look.

I run breakinguard, which is a simple automatic blacklisting utility. Worth a look for some general protection, and the reporting (email sent on blocked IP) is how we were alerted to the event originally.
<<

Cr@sh

Newbie
Newbie

Posts: 5

Joined: Thu Dec 04, 2008 2:04 pm

Post Wed Dec 10, 2008 9:43 am

Re: Recent changes in SSH attacks

Would this help at all?

http://www.csc.liv.ac.uk/~greg/sshdfilter/

Edit: I realize that this is for mac osX, I didnt know if you guys were refering to Mac or PC
Last edited by Cr@sh on Wed Dec 10, 2008 9:45 am, edited 1 time in total.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Dec 10, 2008 10:42 am

Re: Recent changes in SSH attacks

Cr@sh,

thanks for the link I'll take a look and run some tests. Looking at the sshdfilter it uses the same timed lockout mechanisms present in breakinguard solution. The problem is that the new attack pattern is designed to work around these protections by coming from a large number of distributed hosts, even if you block some of the attempts another source takes over the slack.

Looking at the source of sshdfilter it *should* compile on a Linux OS as well as OS X (Suse is listed in the README file) however there is a precompiled OS X binary available for download to ease installation.

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software