security of ssh on Solaris - Solaris

This is a discussion on security of ssh on Solaris - Solaris ; Hi It looks like someone managed to log into my box: > last | head -3 name1 sshd hhk-downloadcent Thu Jun 19 06:46 - 06:46 (00:00) name2 sshd hhk-downloadcent Thu Jun 19 06:39 - 06:40 (00:00) name3 sshd hhk-downloadcent Thu ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: security of ssh on Solaris

  1. security of ssh on Solaris

    Hi

    It looks like someone managed to log into my box:

    > last | head -3


    name1 sshd hhk-downloadcent Thu Jun 19 06:46 - 06:46 (00:00)
    name2 sshd hhk-downloadcent Thu Jun 19 06:39 - 06:40 (00:00)
    name3 sshd hhk-downloadcent Thu Jun 19 06:37 - 06:38 (00:00)


    I have edited the names, but what was name1, name2, name3 were valid
    user names with the obvious password (that has been rectified). They
    were not my username nor root. Question is how would someone be able to
    find out about their existence without my having given them away to the
    general public?

    I didn't see any evidence of tampering (so far), but:

    > cat /var/adm/messages


    Jun 19 10:28:21 hostname sshd[6909]: [ID 800047 auth.crit] fatal: Read
    from socket failed: Connection reset by peer

    After this point my computer had no network connectivity, even though
    ifconfig said my nic was up and running. I could not get a ping response
    from my computer until I rebooted. So next question is what sort of
    mischief could this intruder have been up to?

    Thanks


  2. Re: security of ssh on Solaris

    James writes:
    >
    >
    >I have edited the names, but what was name1, name2, name3 were valid
    >user names with the obvious password (that has been rectified). They
    >were not my username nor root. Question is how would someone be able to
    >find out about their existence without my having given them away to the
    >general public?
    >


    They guessed. Look in your logfiles and you'll find dozens of lines
    where the same site was connecting to your SSH daemon and trying lots
    of different usernames. Maybe more sites than just that one.

    Some of usernames you'll see in the logs are well-known Unix account
    names (like "root"), but most of them are common account names like
    "john", "mary", "bob" and so on. As you noticed with your three accounts,
    the attackers try the obvious password (same as the username).

    This doesn't require the attacker to have special knowledge about your
    server. They just try to connect to the ssh port on your server (and
    are successful) and try many common usernames with the same password.

    There are several ways you can try to prevent this. First and foremost,
    don't allow accounts on your servers to have passwords that are the same
    as the usernames. If your users are likely to change their passwords to
    something insecure, you'll have to run tests to notice when that happens
    and take corrective action. Second, try to limit which places around the
    world can connect to ssh on your servers. Third, you may be able to use
    software that notices when someone is trying to log into different accounts
    and set the server's packet filters to block them for a while.

    I don't have suggestions for software that could provide the third option
    above. Solaris 10 uses the pf packet filtering system, so the community
    of pf users might know what is available.

    -Greg
    --
    ::::::::::::: Greg Andrews ::::: gerg@panix.com :::::::::::::
    I have a map of the United States that's actual size.
    -- Steven Wright

  3. Re: security of ssh on Solaris

    On 2008-06-20 16:41:20 +0100, gerg@panix.com (Greg Andrews) said:

    > There are several ways you can try to prevent this. First and foremost,
    > don't allow accounts on your servers to have passwords that are the same
    > as the usernames. If your users are likely to change their passwords to
    > something insecure, you'll have to run tests to notice when that happens
    > and take corrective action. Second, try to limit which places around the
    > world can connect to ssh on your servers. Third, you may be able to use
    > software that notices when someone is trying to log into different accounts
    > and set the server's packet filters to block them for a while.


    You can also try forcing the use of ssh keys and disallowing passwords
    altogether.

    Cheers,

    Chris


+ Reply to Thread