# Hackers trying different tricks?

## chas_e_erath

I see lots of noise in my sshd log from various IPs.  Fail2ban worked wonders on the last method, but these are different in that they spoof the IP after every attempt, and that the log records "Bye Bye" after each failure.  Adjusting my hosts.allow and hosts.deny files seems to have made things quiet again (at least for the last 30 minutes or so).

```

root@loco root# grep Bye /var/log/sshd/current | nl | tail 

  2243  log-2008-05-07-00:05:49:May  6 16:37:50 [sshd] Received disconnect from 217.133.215.194: 11: Bye Bye

  2244  log-2008-05-07-00:05:49:May  6 16:39:49 [sshd] Received disconnect from 68.213.208.164: 11: Bye Bye

  2245  log-2008-05-07-00:05:49:May  6 16:43:06 [sshd] Received disconnect from 196.211.38.218: 11: Bye Bye

  2246  log-2008-05-07-00:05:49:May  6 16:44:34 [sshd] Received disconnect from 87.241.8.203: 11: Bye Bye

  2247  log-2008-05-07-00:05:49:May  6 16:46:59 [sshd] Received disconnect from 66.159.198.155: 11: Bye Bye

  2248  log-2008-05-07-00:05:49:May  6 16:49:09 [sshd] Received disconnect from 62.167.18.154: 11: Bye Bye

  2249  log-2008-05-07-00:05:49:May  6 16:51:44 [sshd] Received disconnect from 201.134.245.78: 11: Bye Bye

  2250  log-2008-05-07-00:05:49:May  6 16:53:52 [sshd] Received disconnect from 217.70.119.198: 11: Bye Bye

  2251  log-2008-05-07-00:05:49:May  6 16:56:45 [sshd] Received disconnect from 196.2.12.200: 11: Bye Bye

  2252  log-2008-05-07-00:05:49:May  6 16:59:06 [sshd] Received disconnect from 211.22.140.146: 11: Bye Bye

root@loco root#

```

Each of those entries preceded with a failed attempt to log in as root (which isn't allowed on this machine).

I hate them.

----------

## bunder

i've been getting continuous root attempts from random hosts since yesterday...  must be a new botnet out there...   :Crying or Very sad: 

 *Quote:*   

> 
> 
> # grep "May  6" /var/log/auth.log | grep root | grep rhost | wc -l
> 
> 117
> ...

 

first one started at 5:40pm EDT and hasn't stopped since... one connect, one root attempt.  i don't think they are spoofing as you can connect back to ssh on these hosts...

cheers

----------

## Hu

Spoofing the source IP address for a fully established TCP connection is hard if you are not in the path to receive the responses.  It is more likely that the attacker controls enough systems that each zombie attacks once, then moves on.  This is likely an attempt to minimize the effectiveness of fail2ban (and similar defenses), since the frequent rotation guarantees that the next attacker will be one you have not yet banned.

----------

## Carnildo

Which is what makes Denyhosts still effective: since it uses a centralized database, if a zombie tries to break into one system, all the other systems using the database will block it.

----------

## eccerr0r

 *bunder wrote:*   

> first one started at 5:40pm EDT and hasn't stopped since... one connect, one root attempt.  i don't think they are spoofing as you can connect back to ssh on these hosts...
> 
> 

 

I've been getting these as well, and it hasn't stopped, but at least I'm starting to get some duplicates and the repeats get added to deny.  What I didn't try is connecting back... Did you make a note what kind of machine, what version of sshd the attacker machines run?

----------

## octanez

I am seeing one attempt per host, but obviously going through a list, as the names are in alphabetical order!!!

```
May 12 01:34:26 [sshd] Invalid user alexavier from 200.183.40.66

May 12 01:35:02 [sshd] Invalid user alexavier from 213.33.201.30

May 12 01:35:30 [sshd] Invalid user alexia from 89.186.79.250

May 12 01:36:45 [sshd] Invalid user alexis from 62.72.101.154

May 12 01:37:16 [sshd] Invalid user alexis from 62.2.99.174

May 12 01:37:53 [sshd] Invalid user alfonso from 213.41.176.229

May 12 01:38:19 [sshd] Invalid user alfonso from 88.87.195.14

May 12 01:39:01 [sshd] Invalid user alfred from 200.207.85.162

May 12 01:39:27 [sshd] Invalid user alfred from 200.250.24.130

May 12 01:40:05 [sshd] Invalid user algernon from 194.94.121.234

May 12 01:40:47 [sshd] Invalid user algernon from 88.196.54.98

May 12 01:41:13 [sshd] Invalid user ali from 213.133.164.90

May 12 01:42:05 [sshd] Invalid user ali from 213.150.184.70

May 12 01:42:31 [sshd] Invalid user alia from 89.119.21.35

May 12 01:42:58 [sshd] Invalid user alia from 200.69.115.174

May 12 01:43:23 [sshd] Invalid user alice from 64.83.58.161

May 12 01:44:05 [sshd] Invalid user alice from 62.80.229.104

May 12 01:44:32 [sshd] Invalid user alicia from 83.12.90.62

May 12 01:45:13 [sshd] Invalid user alicia from 145.253.179.228

May 12 01:46:18 [sshd] Invalid user alick from 200.93.164.53
```

----------

## eccerr0r

I have a suspicion they are keeping track of a list of "hit hosts"...  I think they know which ones are routers and avoid them, specifically going after Linux/Unix boxes.  They started with A's on my machine as well, oddly enough.  They are systemically going through some list, very suspicious...

My WRT54G has _much_ fewer attempts at it.  This could be a good or bad sign...

What services are being run on your boxes?  I have httpd running amongst other things, and I suspect this is "valuable" to hackers.

----------

## Cyker

Is there a way to add a random/sliding delay to the connection process?

Something like:

e.g. 1st connection is normal.

If a second connection occurs while the first is active, there is a 20-25s delay before reply.

If a second connection occurs immediately after the first, there is a 20-25s delay before reply; This delay is reduced by 5s for every 1s after the 1st connection handshake has ended (Either with a successful auth or failed auth) until it is 0 again.

Even if I can't stop 'em trying this crap I'd like to inconvenience them as much as possible.

----------

## eccerr0r

Can't do that with random hosts attacking your machine unless you whitelist all machines you're connecting from; else them doing this crap will basically DDOS (to remote users) your machine due to your 'exponential backoff' (like ethernet collisions).

I don't know why I'm really pissed at all these people, from the botmaster to each individual negligent computer owners... GRR.

Another piece of data I found: I had one of my Gentoo boxes turned off (and thus isolated) - turning it on for a few hours revealed few connection attempts...  I still suspect a hitlist theory versus randomly trying to find machines to exploit (though tracers have been fired...)

----------

## octanez

 *eccerr0r wrote:*   

> What services are being run on your boxes?  I have httpd running amongst other things, and I suspect this is "valuable" to hackers.

 

I too am running httpd on all the boxes I thought to check today, I'll look on a couple other boxes tomorrow that don't have httpd running.

----------

## octanez

I checked a couple more boxes, those only running sshd, and I am still seeing alphabetical order ssh attempts from thousands of IPs. Though it looks like they stopped around 0900 GMT. I am also, just for completeness, at an educational/.edu location.

----------

## zoni

Same here, my server is getting hammered by bots a lot more than what has been usual recently. 

There's mention of it on the SANS ISC too.

----------

## Inodoro_Pereyra

That is why is always a good security advice to have ssh access closed and open it only when you need it. Even remotely. Hope it helps someone out there.

Regards.

----------

## eccerr0r

Only problem is, where I'm sshing from, only port 22 is open (and the usual 80) due to firewall.  Finding a way to knock using these sole ports open is a challenge...

On a positive note, the barrage has quieted down a bit since 2AM last night... doesn't mean they'll just start right back up.  Last attempt was for 'carrington' from 200.21.231.45.

----------

## Inodoro_Pereyra

 *eccerr0r wrote:*   

> Only problem is, where I'm sshing from, only port 22 is open (and the usual 80) due to firewall.  Finding a way to knock using these sole ports open is a challenge...
> 
> On a positive note, the barrage has quieted down a bit since 2AM last night... doesn't mean they'll just start right back up.  Last attempt was for 'carrington' from 200.21.231.45.

 

So, your firewall runs in a diferent host? Setup port knocking in your firewall then  :Very Happy: 

Regards.

----------

## eccerr0r

It's not my firewall  :Sad: 

(home machine)---internet----(work-firewall)-(me, remotely)

work-firewall blocks all but port 22, 80.

I run sshd and httpd on my home machine.

Now solve it?

[Edit] Ugh the beatings continue... looks like they reset the list to begin with 'a' again...

Time to rename all my accounts to something like zzzeccerr0r...

----------

## c4

From my logs I guess that the traffic is controlled by a bot-master, using compromised boxes to launch a cooperative attack against ssh on different hosts. It might not just be a coincidence that there was a problem with openssl on Debian based boxes recently, where the package openssl-0.9.8c1 did not generate proper certificates.

I have noticed two things with these new attacks, at first someone tried checking usernames from a long list (old common tactic), checking each name once from specific host and than using another bot to check the next name etc. Secondly after several hundred unsuccessful attempts (all usernames started with the letter "B"), the attacker changed tactics and tried, and still trying, to use "root" as the login name.

This would be the first time that I have seen a botnet-attack like this, but all in all, the methods for trying to brute force sshd remain the same.

So far I changed the settings for fail2ban ( /etc/fail2ban/jail.conf ) to use a larger "findtime", and a suitable "maxretry" value, thus reducing the effectiveness of varying the bots used in the attack. So far fail2ban is stacking up the bots, currently over 200 bans today and counting. 

If the problem continues and the attacks increase, one easy alternative is to change the port sshd listens to. Other boxes that use a different port are not being targeted at all for the moment, though that might change if a persistent attacker scans the server first. Portknockng, as mentioned, is a good way to cloak the services running.

----------

## octanez

 *c4 wrote:*   

> I have noticed two things with these new attacks, at first someone tried checking usernames from a long list (old common tactic), checking each name once from specific host and than using another bot to check the next name etc. Secondly after several hundred unsuccessful attempts (all usernames started with the letter "B"), the attacker changed tactics and tried, and still trying, to use "root" as the login name.

 

I am seeing this switch to "root" only attacks on my boxes as well, although the attack seems to have slowed to an average of one attempt every 6-7 minutes.

----------

## eccerr0r

I keep hearing of people suggesting port knocking and port relocation as a "solution" but sometimes it's not feasible.  I'm behind a SOCKS firewall at work which I don't control, and it only allows ssh, ftp, and web access only to my home machine, disallowing access to other ports (forcibly denied if I try to proxy a telnetd port, for instance).  Am I just SOL on this?

I got another hiatus in the beatings, no attacks in the past two hours.  Been hosts.denying as it seems that they're using a specific set of hosts to pound my poor machine.

----------

## c4

 *eccerr0r wrote:*   

> I keep hearing of people suggesting port knocking and port relocation as a "solution" but sometimes it's not feasible.  I'm behind a SOCKS firewall at work which I don't control, and it only allows ssh, ftp, and web access only to my home machine, disallowing access to other ports (forcibly denied if I try to proxy a telnetd port, for instance).  Am I just SOL on this?
> 
> I got another hiatus in the beatings, no attacks in the past two hours.  Been hosts.denying as it seems that they're using a specific set of hosts to pound my poor machine.

 

I agree that using a different set of ports is only possible if you are the admin of the firewall and can change the listening ports. It does sound that by using deny.hosts you have taken action in ways to prevent intruders from banging away at your box. however if that seems to fail than I am not aware of any other methods of "damage control". Strong passwords of course or perhaps the use of certificates and do not allow password logins at all. For my setup I have stated which usernames are allowed ssh login, so all others get caught by fail2ban.

On a side note, it seems the bot-net attackers have stopped the attacks against my server for the while being. Either that or the large number of prolonged bans are starting to help shield off the bots.

----------

## bunder

 *c4 wrote:*   

> On a side note, it seems the bot-net attackers have stopped the attacks against my server for the while being. Either that or the large number of prolonged bans are starting to help shield off the bots.

 

the one probing my box comes and goes...  it's not as continuous as it was last wednesday.   :Smile: 

note: i'm not using fail2ban, or blocking them in any fashion.

----------

