Dictionary attacks on port 22 - Security

This is a discussion on Dictionary attacks on port 22 - Security ; Are there more than the usual amount of dictionary attacks on port 22 going on lately? Or should I be more than usually worried. I've gotten hit with 13,000 tries in the last 3 days....

+ Reply to Thread
Results 1 to 19 of 19

Thread: Dictionary attacks on port 22

  1. Dictionary attacks on port 22

    Are there more than the usual amount of dictionary attacks on port 22
    going on lately?

    Or should I be more than usually worried. I've gotten hit with 13,000
    tries in the last 3 days.


  2. Re: Dictionary attacks on port 22

    begin

    > Are there more than the usual amount of dictionary attacks on port 22
    > going on lately?
    >
    > Or should I be more than usually worried. I've gotten hit with 13,000
    > tries in the last 3 days.


    Change the port of your ssh-Server and never mind again about such things.
    --
    lg niko
    icq:# 129022192
    ________________________________
    Die Natur verleiht ihre Gaben gerecht: Die mit dem schwachen Verstand
    bekommen die lauteste Stimme (Art van Rheyn)


  3. Re: Dictionary attacks on port 22

    Nikolai Försterling sez:
    > begin
    >
    >> Are there more than the usual amount of dictionary attacks on port 22
    >> going on lately?
    >>
    >> Or should I be more than usually worried. I've gotten hit with 13,000
    >> tries in the last 3 days.

    >
    > Change the port of your ssh-Server and never mind again about such things.


    Read about "recent" match extension to iptables and add the rule
    for port 22. Works like a charm, no need to fsck up the standard.

    Dima
    --
    Surely there is a polite way to say FOAD. -- Shmuel Metz
    "Go forth and multiply". -- Paul Martin

  4. Re: Dictionary attacks on port 22

    On Wed, 22 Feb 2006 10:00:08 -0600, Harry Putnam said:

    > Are there more than the usual amount of dictionary attacks on port
    > 22 going on lately?


    > Or should I be more than usually worried. I've gotten hit with
    > 13,000 tries in the last 3 days.


    Remember that sshd uses TCPwrappers - if you only ever log in from a
    few trusted IP addresses, put those in hosts.allow, and sshd: ALL in
    hosts.deny

    If you might need to log in from an unknown IP address, use

    http://denyhosts.sourceforge.net/

    Still keep your trusted addresses in hosts.allow, though.

    --
    Alan J. Wylie http://www.wylie.me.uk/
    "Perfection [in design] is achieved not when there is nothing left to add,
    but rather when there is nothing left to take away."
    -- Antoine de Saint-Exupery

  5. Re: Dictionary attacks on port 22

    Harry Putnam (06-02-22 10:00:08):

    > Are there more than the usual amount of dictionary attacks on port 22
    > going on lately?
    >
    > Or should I be more than usually worried. I've gotten hit with 13,000
    > tries in the last 3 days.


    A few workarounds have been given here already. But I don't like the
    concept of security by obscurity. If your passwords are secure, then
    you don't have to worry. A much better approach would be to use
    key-based authentication and disable passwords completely. Compromising
    a 1024 bit key is practically impossible, but you have the option to use
    even larger keys. Personally I use 4096 bits.

    On the other hand, you may be interested in protecting your SSHd from
    denial of service. You'll want to use the MaxStartups option in your
    sshd_config. See sshd_config(5) for an explanation.


    Regards.

  6. Re: Dictionary attacks on port 22

    Harry Putnam writes:

    > Are there more than the usual amount of dictionary attacks on port 22
    > going on lately?
    >
    > Or should I be more than usually worried. I've gotten hit with 13,000
    > tries in the last 3 days.


    Thanks for the tips posters. But out of 3 responses none were about
    my query. Is there an unusual amount of dictionary attacks on port 22
    going on lately?

    The reaon I ask is because I recently rebuilt my OS from scratch.
    Completely unrelated to any security concerns.

    However, that would have effectively burned any rootkits or unwanted
    guests. When I came back online, any preexiting backdoors or the like
    would have been scotched.

    Seems like that might provoke some frantic efforts to reaquire
    access. Maybe too far fetched since I have no reason to believe I'd
    been rooted, so just asking here if this is pretty normal to see.

    I haven't seen it before, and have been online for several years. But
    I'm not the most vigilant admin either,

  7. Re: Dictionary attacks on port 22

    Harry Putnam (06-02-22 19:02:21):

    > Thanks for the tips posters. But out of 3 responses none were about
    > my query. Is there an unusual amount of dictionary attacks on port 22
    > going on lately?


    To answer your actual question, there are always people bruteforcing
    random hosts, possibly with automated scripts. Don't worry about that
    too much. If your system keeps being the target of a bruteforce
    (probably from the same source), you might have been rooted before the
    re-installation of your system.


    Regards.

  8. Re: Dictionary attacks on port 22

    On Wed, 22 Feb 2006 19:02:21 -0600, Harry Putnam wrote:

    >Thanks for the tips posters. But out of 3 responses none were about
    >my query. Is there an unusual amount of dictionary attacks on port 22
    >going on lately?


    I don't see them 'cos the port is closed, just a few attempts per
    day, rarely repeated from same source IP. When I open ssh, it
    accepts traffic from only known IPs -- an easy solution if you
    have an account elsewhere -> cracker needs to crack other account
    before home box.

    In any case rate limiting with iptables is a practical way to calm
    the traffic -- my efforts in this direction are towards calming web
    traffic on a very thin Internet connection with iptables --recent.

    >Seems like that might provoke some frantic efforts to reaquire
    >access. Maybe too far fetched since I have no reason to believe I'd
    >been rooted, so just asking here if this is pretty normal to see.


    13k queries in 3 days to _any_ port I'd be alarmed at

    >I haven't seen it before, and have been online for several years. But
    >I'm not the most vigilant admin either,


    If you want to maintain port 22 access, look at iptables --recent
    option, properly implemented it can lockout access by source IP
    after say 3 tries without DoSing legitimate users.

    Have you analysed from how many IPs those 13k attempts came from?

    Grant.
    --
    .... The computer scientist, who had listened to all of this said,
    "Yes, but where do you think the chaos came from?"

  9. Re: Dictionary attacks on port 22

    Harry Putnam wrote:
    > Harry Putnam writes:
    >
    >
    >>Are there more than the usual amount of dictionary attacks on port 22
    >>going on lately?
    >>
    >>Or should I be more than usually worried. I've gotten hit with 13,000
    >>tries in the last 3 days.

    >
    >
    > Thanks for the tips posters. But out of 3 responses none were about
    > my query. Is there an unusual amount of dictionary attacks on port 22
    > going on lately?


    Define "unusual"? :-)

    Like other sorts of attacks, it's increasing and will probably continue
    to do so.

    If you're seeing them, you need to revisit your firewall / wrappers
    rules.

  10. Re: Dictionary attacks on port 22

    * Harry Putnam
    | [sshd] Or should I be more than usually worried. I've gotten hit
    | with 13,000 tries in the last 3 days.

    Is that 13000 connections from different sources, or 13000 attempts to
    guess a password? The former would be unusual here, the latter not so
    unusual, since every single try consists of a few hundred
    username/password guesses.

    Individual attempts to connect to port 22 on our site:
    Feb 10: 1
    Feb 11: 1
    Feb 12: 4
    Feb 13: 6
    Feb 14: 1
    Feb 15: 2
    Feb 16: 4
    Feb 17: 2
    Feb 18: 8
    Feb 19: 2
    Feb 20: 4
    Feb 21: 2
    Feb 22: 6
    Feb 23: 1

    A single attempt included ~400 guesses in about 4 minutes last time
    when they weren't blocked, so nothing near 13000 here, but then, we're
    on dynamic IP.

    R'

  11. Re: Dictionary attacks on port 22

    Grant writes:

    > On Wed, 22 Feb 2006 19:02:21 -0600, Harry Putnam wrote:
    >
    >>Thanks for the tips posters. But out of 3 responses none were about
    >>my query. Is there an unusual amount of dictionary attacks on port 22
    >>going on lately?

    >
    > I don't see them 'cos the port is closed, just a few attempts per
    > day, rarely repeated from same source IP. When I open ssh, it
    > accepts traffic from only known IPs -- an easy solution if you
    > have an account elsewhere -> cracker needs to crack other account
    > before home box.


    My usage is really only necessary when on the road so that I can
    access home machines. I usually close/open port 22 by means of a
    NETGEAR firewall router. And had grown lazy and left it open when I
    really didn't need it.

    > In any case rate limiting with iptables is a practical way to calm
    > the traffic -- my efforts in this direction are towards calming web
    > traffic on a very thin Internet connection with iptables --recent.


    Something to look at. So far I hadn't bothered with iptable at all
    since I'm behind a firewall already, that NATs in out traffic and
    shows no open ports on the INTERNET side accept 22 when I have it
    open.

    I think your suggestion about limiting to a few ip addresses may be a
    good solution and allow me to quit turning it off/on and just leave
    it on. I do have accounts on other machines that are 24/7 so could
    always ssh to one of them first.

    >>Seems like that might provoke some frantic efforts to reaquire
    >>access. Maybe too far fetched since I have no reason to believe I'd
    >>been rooted, so just asking here if this is pretty normal to see.


    > 13k queries in 3 days to _any_ port I'd be alarmed at


    Yeah it got my attention by making the activity light flicker. At
    first I took it to be one of those things that happens coming from
    Windows boxes on the network.... I've never really investigated the
    cause but occassionaly I see heavy gauge flickering from one another
    Win box and just reboot it.

    I'm kind of curious how these dictionary attacks work. How they
    attempt so many login names so fast.

    >>I haven't seen it before, and have been online for several years. But
    >>I'm not the most vigilant admin either,

    >
    > If you want to maintain port 22 access, look at iptables --recent
    > option, properly implemented it can lockout access by source IP
    > after say 3 tries without DoSing legitimate users.


    I'll look at that.

    >
    > Have you analysed from how many IPs those 13k attempts came from?


    Seeing this question made me get on with that... so far I'd only
    scanned enough to see a number of IPs involved but each making
    numerous attempts. I only sorted on IP and on attempted name so far
    but meant to do better research... I'll post some homeboy research
    here in a bit after scripting something simple:

    Turns out to be spread over about 6 days rather than the three I
    stated in my first post.

    The fields on either side of "<>" are first and last dates of
    attempted logons by each IP.... there were 15

    (Sorted by number of hits rather than date)

    scn.pl ../all-SSH-hits

    First Last IP hits

    Feb 18 08:30:47 <> Feb 18 09:50:39 200.88.113.25 5283
    Feb 22 08:11:51 <> Feb 22 08:49:29 217.71.210.152 2372
    Feb 17 19:42:11 <> Feb 21 18:15:19 220.119.33.251 1365
    Feb 18 01:49:01 <> Feb 18 02:42:19 194.146.224.92 1270
    Feb 20 22:58:07 <> Feb 20 23:22:34 220.158.24.21 876
    Feb 22 05:01:32 <> Feb 22 05:43:41 220.232.149.165 570
    Feb 21 04:17:56 <> Feb 21 04:22:38 211.233.58.219 128
    Feb 21 17:03:58 <> Feb 21 17:06:38 69.37.62.163 123
    Feb 22 02:12:55 <> Feb 22 02:13:45 38.99.4.36 106
    Feb 20 05:41:26 <> Feb 20 05:48:12 61.230.11.64 96
    Feb 17 06:45:11 <> Feb 17 06:47:35 200.21.246.146 69
    Feb 17 06:54:14 <> Feb 17 06:54:22 69.60.109.243 23
    Feb 19 21:08:37 <> Feb 19 21:08:53 218.189.216.84 6
    Feb 21 05:39:38 <> Feb 21 05:40:08 210.73.84.132 5
    Feb 21 16:21:12 <> Feb 21 16:21:28 60.248.79.101 3
    A total of <12295>

    > Define "unusual"? :-)


    For me, unusasual would have started with more than one or two attempts
    in a day.

    Ralf Fassel writes:


    > Individual attempts to connect to port 22 on our site:
    > Feb 10: 1


    [...]

    > A single attempt included ~400 guesses in about 4 minutes last time
    > when they weren't blocked, so nothing near 13000 here, but then, we're
    > on dynamic IP.


    Those I posted sort of came in two main waves a few days apart.

    17-18 around 7-8000 and 21-22 around 4-5000.

    Something about this just looks suspicious, like more than just random
    script kiddie activity.

    I still have a nasty itch telling me something more is at work here.

  12. Re: Dictionary attacks on port 22

    On Fri, 24 Feb 2006 01:15:58 -0600, Harry Putnam wrote:

    >Grant writes:
    >
    >> Have you analysed from how many IPs those 13k attempts came from?


    A dozen or so sources, that's easy to lockout, read man iptables:
    --recent filter and its --rcheck, --hitcount and --seconds options.

    I'd suggest to simply DROP excess incoming requests rather than the
    technically correct REJECT --reject-with --tcp-reset.

    Script-kiddies will try some else once your machine goes quiet on
    them.

    >Something about this just looks suspicious, like more than just random
    >script kiddie activity.


    Dunno, I'm not game to open port 22 to world out of curiosity
    >
    >I still have a nasty itch telling me something more is at work here.


    Depends where you are, but some paranoia helps with computer security.

    Grant.
    --
    .... The computer scientist, who had listened to all of this said,
    "Yes, but where do you think the chaos came from?"

  13. Re: Dictionary attacks on port 22

    On Fri, 24 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <8764n5tefl.fsf@newsguy.com>, Harry Putnam wrote:

    >My usage is really only necessary when on the road so that I can
    >access home machines. I usually close/open port 22 by means of a
    >NETGEAR firewall router. And had grown lazy and left it open when I
    >really didn't need it.


    Can't help with the Netgear, but one solution might be to move your SSH
    server to some other port. Zombies and skript-kiddiez look for specific
    ports, and if they don't find what they are looking for they tend to
    move on. Most "scanner" tools (example - nmap) default to only scanning
    ports 1-1024, so if you moved your SSH to A RANDOM NUMBER like

    [compton ~]$ head -1 /dev/urandom | mimencode | sed 's/[^0-9]//g' | head -1
    36551
    [compton ~]$

    yeah, that's a good number.

    >I think your suggestion about limiting to a few ip addresses may be a
    >good solution and allow me to quit turning it off/on and just leave
    >it on. I do have accounts on other machines that are 24/7 so could
    >always ssh to one of them first.


    Do a google search for 'port+knocking SSH iptables' - someone posted
    a cute trick where you attempt to connect to some (closed) port, and
    iptables then unblocks a different port for access by the address you
    came from for a limited period.

    >I'm kind of curious how these dictionary attacks work. How they
    >attempt so many login names so fast.


    It's a script running from a list of possible usernames/passwords.

    >The fields on either side of "<>" are first and last dates of
    >attempted logons by each IP.... there were 15


    Just looking at the first six, they smell strongly of zombie - perhaps
    a windoze box someone found that the owner left wide open.

    >For me, unusasual would have started with more than one or two attempts
    >in a day.


    Must be nice to live in a quiet part of the Internet. ;-)

    >Something about this just looks suspicious, like more than just random
    >script kiddie activity.


    Generally, these are just scripts - and random doesn't mean a nice flat
    distribution. It can be quite lumpy. The first six addresses you list
    don't raise a flag here.

    Old guy

  14. Re: Dictionary attacks on port 22

    On Fri, 24 Feb 2006 14:03:45 -0600, ibuprofin@painkiller.example.tld (Moe Trin) wrote:

    >Generally, these are just scripts - and random doesn't mean a nice flat
    >distribution. It can be quite lumpy.


    Still remember lunchroom arguments 30 years ago about evenly distributing
    numbers for the lotto syndicate -- 'quite lumpy', I like that.

    Grant.
    --
    .... The computer scientist, who had listened to all of this said,
    "Yes, but where do you think the chaos came from?"

  15. Re: Dictionary attacks on port 22

    On Sat, 25 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <81vuv1ltu396jd4ocrrcnq82l5c7jv0bhu@4ax.com>, Grant wrote:
    >ibuprofin@painkiller.example.tld (Moe Trin) wrote:
    >
    >>Generally, these are just scripts - and random doesn't mean a nice flat
    >>distribution. It can be quite lumpy.

    >
    >Still remember lunchroom arguments 30 years ago about evenly distributing
    >numbers for the lotto syndicate -- 'quite lumpy', I like that.


    See David Kahn's classic book "The Codebreakers" (first published in 1967,
    LoCUS 63-16109 - I have an eighth printing from 1976) on how it was noted
    that the "one time pads" used to encipher Soviet spy messages in the 1950s
    were obviously created by typists striking "random" letters with the left
    and right hand alternating. They also noted the relative scarcity of
    repeating characters - below the statistical average for randomness.

    Old guy

  16. Re: Dictionary attacks on port 22

    ibuprofin@painkiller.example.tld (Moe Trin) writes:

    >>The fields on either side of "<>" are first and last dates of
    >>attempted logons by each IP.... there were 15


    First Last IP hits
    Feb 18 08:30:47 <> Feb 18 09:50:39 200.88.113.25 5283
    Feb 22 08:11:51 <> Feb 22 08:49:29 217.71.210.152 2372
    Feb 17 19:42:11 <> Feb 21 18:15:19 220.119.33.251 1365
    Feb 18 01:49:01 <> Feb 18 02:42:19 194.146.224.92 1270
    Feb 20 22:58:07 <> Feb 20 23:22:34 220.158.24.21 876
    Feb 22 05:01:32 <> Feb 22 05:43:41 220.232.149.165 570

    > Just looking at the first six, they smell strongly of zombie - perhaps
    > a windoze box someone found that the owner left wide open.


    Can you explain that? Are basing it on number of hits? IP? ... what?
    Sounded like you think those six are coming from a single machine?

    >>For me, unusasual would have started with more than one or two attempts
    >>in a day.

    >
    > Must be nice to live in a quiet part of the Internet. ;-)


    How man dictionary attack type hits do you see in a day?

  17. Re: Dictionary attacks on port 22

    On Sat, 25 Feb 2006 20:01:46 -0600, Harry Putnam wrote:

    >ibuprofin@painkiller.example.tld (Moe Trin) writes:
    >
    >>>The fields on either side of "<>" are first and last dates of
    >>>attempted logons by each IP.... there were 15

    >
    > First Last IP hits
    > Feb 18 08:30:47 <> Feb 18 09:50:39 200.88.113.25 5283
    > Feb 22 08:11:51 <> Feb 22 08:49:29 217.71.210.152 2372
    > Feb 17 19:42:11 <> Feb 21 18:15:19 220.119.33.251 1365
    > Feb 18 01:49:01 <> Feb 18 02:42:19 194.146.224.92 1270
    > Feb 20 22:58:07 <> Feb 20 23:22:34 220.158.24.21 876
    > Feb 22 05:01:32 <> Feb 22 05:43:41 220.232.149.165 570
    >
    >> Just looking at the first six, they smell strongly of zombie - perhaps
    >> a windoze box someone found that the owner left wide open.

    >
    >Can you explain that? Are basing it on number of hits? IP? ... what?
    >Sounded like you think those six are coming from a single machine?


    My 2 cents:

    Simple metric, hit rate per source IP, and the first has a hit rate that
    is too fast to make sense, 66/min? (5k in 80 mins), that implies your
    system is doing nothing to calm the source, rather, your system is
    instantly telling the source to have another try! Silly of it, no?

    Fastest hit rate I allow is 12/min + 12 burst into the web server (I'm
    on a small connection), source IPs breaching the rules are switched to
    lockout for some period. Web traffic calming only locks out src-ip
    for 90 seconds. Web crawlers are on 2/min + 1 burst, keeps them from
    saturating my Internet link.

    In the case of bad traffic, the first hit breaking a rule gets a
    denied response then that offending IP is locked out for an hour,
    sidestepping the need for hard to maintain deny lists.

    My summary (last six hours):

    Classify junk:
    48 MSFT exploit ports
    30 repeated MSFT exploit ports
    22 dropped for web traffic calming
    7 entered web traffic calming
    5 random ports
    4 probe from privileged port
    2 repeated probe from privileged port
    1 repeated random ports
    -- http://bugsplatter.mine.nu/junk/

    Cheers,
    Grant.
    --
    .... The computer scientist, who had listened to all of this said,
    "Yes, but where do you think the chaos came from?"

  18. Re: Dictionary attacks on port 22

    On Sat, 25 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <87r75qubcl.fsf@newsguy.com>, Harry Putnam wrote:

    >ibuprofin@painkiller.example.tld (Moe Trin) writes:



    > First Last IP hits
    > Feb 18 08:30:47 <> Feb 18 09:50:39 200.88.113.25 5283
    > Feb 22 08:11:51 <> Feb 22 08:49:29 217.71.210.152 2372
    > Feb 17 19:42:11 <> Feb 21 18:15:19 220.119.33.251 1365
    > Feb 18 01:49:01 <> Feb 18 02:42:19 194.146.224.92 1270
    > Feb 20 22:58:07 <> Feb 20 23:22:34 220.158.24.21 876
    > Feb 22 05:01:32 <> Feb 22 05:43:41 220.232.149.165 570
    >
    >> Just looking at the first six, they smell strongly of zombie - perhaps
    >> a windoze box someone found that the owner left wide open.

    >
    >Can you explain that? Are basing it on number of hits? IP? ... what?


    IP. Your first, 200.88.113.25, is 25sosua113.codetel.net.do in the
    Dominican Republic. Codetel has a fairly poor reputation for abuse
    problems. The address implies a home system though at the moment I can't
    reach it. Host number two is valerian-152.210.71.217.zonepro-serveurs.net
    in France. This appears to be a hosting service. Host 3 doesn't resolve, but
    is in a block allocated to Korea Telcon, suballocated to another hosting
    service though I can't read the Hanguil. Kortel seems to feel that there
    is no need to configure PTR records (it's only a "SHOULD" on the APNIC
    policy document as recommended in RFC2050). A lot of people feel this is
    reason to block such IP space. Host 4 is sd204.sivit.org - yet another
    hosting service in France. Interestingly, when I connect to this site, I
    get forwarded on to the www.google.com login page. Host 5 is a dynamic
    address in Japan s21.ItokyoFL116.vectant.ne.jp running an incompletely
    configured version of Apache on Linux, while host 6 is at our dear friends
    (NOT!) at pacific.net.hk whose users seem to delight in running zombies.
    The later block (like the 217.116.0.0/14 and 217.120.0.0/13 blocks from
    Kortel) is in fact blackholed here for that very reason so I can't comment
    on the individual host. Using another ISP, I find (as usual) the klowns at
    pacific.net.hk haven't figured how to set up DNS either.

    >Sounded like you think those six are coming from a single machine?


    No, not on three continents. The possibility that they are controlled by
    the same individual is low, though not impossible. The fact that they
    seem to all decided to attempt to dictionary attack you might be related,
    but that's pushing the indications pretty hard.

    >> Must be nice to live in a quiet part of the Internet. ;-)

    >
    >How man dictionary attack type hits do you see in a day?


    None. My ssh server doesn't run on a low port, and the chance of anyone
    even finding it is quite poor, never mind seeing repeat attempts. Also,
    I only accept connections to that server from a VERY limited list of IP
    addresses. On the other hand, I see quite a large number of connection
    _attempts_ to port 22 on my public address - typically about a thousand
    a day. That's why I no longer have a server there, and don't bother even
    logging the attempts.

    Old guy

  19. Re: Dictionary attacks on port 22

    Harry Putnam wrote:

    > Thanks for the tips posters. But out of 3 responses none were about
    > my query. Is there an unusual amount of dictionary attacks on port 22
    > going on lately?


    I think it has increased, but I still don't get anywhere near 13k
    in 3 days.

    I got 1510 attempts on Feb 25, 1032 attempts yesterday, and 490
    attempts so far today (that's for a web server, with an actual
    domain name registered, which I assume would increase the likelihood
    of attacks, even if only slightly)

    Try to see if there are patterns in the IPs -- I mean, if 12.5 of
    those 13 come from one IP, then maybe you're being targetted, as
    opposed to randomly chosen as a potential victim.

    Carlos
    --

+ Reply to Thread