OT: password crackers

email.listen at googlemail.com email.listen at googlemail.com
Wed Feb 8 12:11:23 UTC 2006 

Am Wed, 8. February 2006 07:41 schrieb Toby Kelsey:
> (Off-topic as it's not Ubuntu-specific, but is relevant to Ubuntu users)
> I've just realised there are current password cracking attempts against my
> home box (breezy).
>
> On Feb 4th at 16:53 I installed openssh-server.
> By 10:09 on the 5th I was receiving password-guessing attempts, which
> produce messages in auth.log like:
>
> Feb  5 10:13:29 localhost sshd[23468]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=202.82.204.250  user=root
> Feb  5 10:13:30 localhost sshd[23468]: Failed password for root from
> 202.82.204.250 port 1566 ssh2 Feb  5 10:13:33 localhost sshd[23470]:
> (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=202.82.204.250  user=root
> Feb  5 10:13:35 localhost sshd[23470]: Failed password for root from
> 202.82.204.250 port 1656 ssh2 Feb  5 10:14:22 localhost sshd[23496]:
> Invalid user test from 202.82.204.250 Feb  5 10:14:32 localhost
> sshd[23500]: Invalid user admin from 202.82.204.250
>
> Feb  8 06:01:55 localhost sshd[7280]: Failed password for root from
> 62.113.122.149 port 62900 ssh2 Feb  8 06:01:56 localhost sshd[7283]:
> (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=62.113.122.149  user=root
>
> Some of the attempts are with alphabetically ordered usernames from a list,
> others repeatedly try root.
>
> The IPs and number of attempts up till now are:
>
> 200.222.105.27: 138
> 202.82.204.250: 1999
> 210.240.94.2: 59
> 211.115.81.91: 179
> 213.145.140.14: 5
> 218.24.139.109: 16
> 218.90.165.178: 60
> 222.235.28.7: 1052
> 62.113.122.149: 4570 (ongoing)
> 79.108.100-84.rev.gaoland.net: 41
> 84.100.108.79: 75
> mail.gkps.hlc.edu.tw: 31
> wap.ml.kg: 5
>
> I'm worried an attempt might succeed on an automatically generated
> username. The users with valid shells in /etc/passwd are:
> root daemon bin sys sync games man lp mail news uucp proxy www-data
> backup list irc gnats nobody toby zac fetchmail guest backuppc
>
> I have locked passwords for guest, zac, backuppc, fetchmail
> The passwords I have set myself (toby, root) are good.
>
> Are any of the other usernames likely to have default or guessable
> passwords?
>
> Many of the usernames seem unnecessary and may be the result of previous
> trial packages installations.  Which ones are needed and can I track which
> packages are responsible for which ones?  When packages are uninstalled is
> the password for the relevant account locked?
>
> Is this rate of attack fairly typical?
>
> Is it worth trying to take action against the hosts involved?
>
> Can I easily block specific hosts, or prevent repeated attempts from the
> same host?
>
> I could just uninstall openssh-server, as I do not need it currently.

There where some postings which mention some usefull restrictions via 
iptables.

Another good idea might be to install portsenry and use it's capability to 
block ip Addresses.

For this you need to enable this line in portsentry.conf
---8<--- /etc/portsentry/portsentry.conf ---8<---
[...]
#
# iptables support for Linux with limit and LOG support. Logs only
# a limited number of packets to avoid a denial of service attack.
 KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I 
INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG 
--log-level DEBUG --log-prefix 'Portsentry: dropping: '"
[...]
---8<--- /etc/portsentry/portsentry.conf ---8<---

And for the allowed hosts you should also add them to portsentry.ignore

---8<--- /etc/portsentry/portsentry.ignore.static ---8<---
# /etc/portsentry/portsentry.ignore.static
#
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
# Put hosts in here you never want blocked. This includes the IP addresses
# of all local interfaces on the protected host (i.e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
#
# Upon start of portsentry(8) via /etc/init.d/portsentry this file
# will be merged into portsentry.ignore.
#
# PortSentry can support full netmasks for networks as well. Format is:
#
# <IP Address>/<Netmask>
#
# Example:
#
# 192.168.2.0/24
# 192.168.0.0/16
# 192.168.2.1/32
# Etc.
#
# If you don't supply a netmask it is assumed to be 32 bits.
#
#
127.0.0.1/32
0.0.0.0
# this might be one of your ip(range)s
192.168.10.0/24
---8<--- /etc/portsentry/portsentry.ignore.static ---8<---

Using portsentry has one small advantage, if a cracker tries _any_ port 
portsentry is listening to he will get blocked immediately. So, even if he 
first probes a port which isn't used as a service (don't offer a service) he 
will be blocked. 

regards,
Thomas

More information about the ubuntu-users mailing list