Saturday, July 16, 2005

Recent SSH Brute-Force Attacks

Introduction
Also known as dictionary attacks, which uses a list of known passwords, a program will connect to a remote SSH server and attempt to login using common user name/password combinations. Recently there has been surge of these attack attempts noticed by server administrators. This paper will attempt to briefly discuss these attacks, how they work, where they come from and most importantly, possible ways to stop them. This article is targeted towards the novice and intermediate.
When the attacks were first noticed, how they are noticed.
It was around May of 2005 that these attacks were first brought to light on the “intrusions” mailing list at SANS. System administrators were noticing failed SSH login attempts in their log files. Some days up to 200 to 300 attempts per day. I also have noticed these dictionary attacks, even on my puny DSL connected box running FreeBSD 4.11. So it would seem that not only networks connected to high speed connects are at risk.

It is also possible that these attacks have been going on longer then just the past few months, as it was noted on the SANS mailing list that at least one individual has seen attempts using a “guest/guest” login/password combinations about a year before these new ones. It is quite obvious that this is the work of an automated program as the user names used are attempted in alphabetical order. The time-stamps are also a dead give away, with connections only a few seconds apart.
Here is an example from my /var/log/auth.log
Jul 14 02:12:19 rage sshd[47297]: Illegal user admin from 203.197.118.71
Jul 14 02:12:25 rage sshd[47299]: Illegal user test from 203.197.118.71
Jul 14 02:12:30 rage sshd[47301]: Illegal user guest from 203.197.118.71
Jul 14 02:12:37 rage sshd[47303]: Illegal user webmaster from 203.197.118.71
Jul 14 02:12:41 rage sshd[47305]: Illegal user mysql from 203.197.118.71
Jul 14 02:12:45 rage sshd[47307]: Illegal user oracle from 203.197.118.71
Jul 14 02:12:50 rage sshd[47309]: Illegal user library from 203.197.118.71
Jul 14 02:12:54 rage sshd[47311]: Illegal user info from 203.197.118.71
Jul 14 02:12:59 rage sshd[47313]: Illegal user shell from 203.197.118.71
Jul 14 02:13:03 rage sshd[47315]: Illegal user linux from 203.197.118.71
Jul 14 02:13:07 rage sshd[47317]: Illegal user unix from 203.197.118.71
Jul 14 02:13:12 rage sshd[47319]: Illegal user webadmin from 203.197.118.71
Jul 14 02:13:16 rage sshd[47321]: Illegal user ftp from 203.197.118.71
Jul 14 02:13:23 rage sshd[47323]: Illegal user test from 203.197.118.71
As you can see in the above example, login attempts were only a few seconds apart indicating the use of a script. It is also obvious that they are using well known account names which could quite possibly could be used in a corporate environment where they might have setup the web development team with the user name “webadmin”. It was also speculated on the SANS mailing list that password lists were circulating around with 3,400 to 22,000 passwords listed. It is very easy to come across these types of lists on the web, more reason for administrators to practice safe password use.
A dangerous addition to these attacks is the attempts to break into “root” accounts. I will discuss later on how you can prevent the root account being compromised over SSH, but it is worth noting that, even though you can disable the root account, the attackers still try. More proof that we're dealing with an automated “script kiddie” type of program.
Here is another example from /var/log/auth.log:
Jul 14 02:13:51 rage sshd[47335]: Failed password for root from 203.197.118.71 port 33396 ssh2
Jul 14 02:13:55 rage sshd[47337]: Failed password for root from 203.197.118.71 port 33443 ssh2
Jul 14 02:13:59 rage sshd[47339]: Failed password for root from 203.197.118.71 port 33490 ssh2
Jul 14 02:14:06 rage sshd[47341]: Failed password for root from 203.197.118.71 port 33541 ssh2
Jul 14 02:14:11 rage sshd[47343]: Failed password for root from 203.197.118.71 port 33632 ssh2
Jul 14 02:14:16 rage sshd[47345]: Failed password for root from 203.197.118.71 port 33686 ssh2
Jul 14 02:14:22 rage sshd[47347]: Failed password for root from 203.197.118.71 port 33739 ssh2
Another thing to notice is the “Failed password” column, in the previous example it was reported as “Illegal user”. The difference being that for “Failed password”, your system actually has that user account to be compromised. If that particular user had a weak password, it wouldn't take long for a dictionary attack to find it. The indication that the user name actually exists or not isn't shown to the attacker.
How to know if you're being attacked and possible locations of the attackers
Finding where these attacker are coming from might be a daunting task, getting the IP address of the connecting computers is easy, but if that is where the attacker actually is might be a different story. Recently I started running p0f on my system. This gave me an indication on what types of systems, how many hops, and the connection type of the attackers. Since p0f is passive the attackers had no knowledge they were being monitored.
Sample output from p0f:
219.232.36.194:54618 - Linux 2.5 (sometimes 2.4) (4) (up: 471 hrs)
-> X.X.X.X:22 (distance 17, link: ethernet/modem)
66.212.215.48:34609 - Linux 2.4/2.6 <= 2.6.7 (up: 2333 hrs)
-> X.X.X.X:22 (distance 21, link: ethernet/modem)
66.212.215.48:34609 - Linux 2.4/2.6 <= 2.6.7 (up: 2333 hrs)
-> X.X.X.X:22 (distance 21, link: ethernet/modem)
66.212.215.48:59905 - Linux 2.4/2.6 <= 2.6.7 (up: 2333 hrs)
-> X.X.X.X:22 (distance 21, link: ethernet/modem)
As with this sample, the rest of my logs show that its mostly Linux based systems that are compromised. P0f works perfect in this situation since you know that the attackers are going to connect, it just sits and waits. It also gives us one very important piece of information, the IP address of the attacker.
With the address of the attacker it is possible to find out who owns it and to report the abuse. It was a part of a few discussions on the SANS mailing list that it is the right of administrators to report these abuses.
With ARIN which most administrators known about, you can look up the information on a single IP address. It reports back with information on the owner including (most times) contact information to report abuse. For example I did a look up on “67.110.118.138” which, ARIN gladly tells us, is registered to XO Communications in Reston, VA USA. We can see that they own the “67.104.0.0” to “67.111.255.255” network block. The most important thing that they provide is an email address and a phone number for reporting abuse.
If you are working in a corporate environment, and you are experiencing unknown attackers attempting to break into your system, it should be your duty to report these attacks to their respective net block owners, if enough people reported them, eventually they would stop.
Solutions
Although this type of attack isn't aggressive, it is one of those attacks that, if you don't have strong passwords or change them frequently, will eventually work. Password security is a must, but it is up to the administrators to enforce it.
There is of course a few things you can do, the most important being disabling root logins over SSH. Adding “PermitRootLogin no” to your sshd_config file will disable the root account from being logged into remotely. If you need to be able to work as root on the same system, the best solution is log into a normal user account and then from there to use “sudo” or even “su – root”.
As well as logging from traffic capture programs such as p0f, your system also logs automatically. Under FreeBSD, and most likely Linux, SSH logs invalid and failed logins to “/var/log/auth.log” or “/var/log/messages”. Watching this file closely allows the administrator to actually see which user names are being tried by the attackers. If you happen to see a known user name, you know its time to do an audit.
Another interesting program you can use is called Tattle, which was created by C.J. Steele from discussions on the SANS mailing list. Tattle is a perl script that looks through your log files and automatically notifies domain authorities of systems performing SSH dictionary attacks. This is exceptionally handy if you administer a few different systems that offer SSH.
Marcus J. Ranum also has an interesting tool called “Never Before Seen” that is a “Anomaly detection driver”. It could easily be used to watch log files and report on SSH attempts that are usually not suppose to be connecting.
As a last step measure you could always reconfigure the port that the SSH daemon listens on. By changing the “Port” setting in your “sshd_config” file, you can easily fool the attackers into thinking you're not running SSH at all, but it's no guarantee that they won't find you again by doing a simple port scan. Changing the port is definitely no solution to strong passwords.
Conclusion
It would seem that these dictionary style attacks are by no means new, but they do offer a slight annoyance with the potential to cause harm. They have become common place as seeing Code Red worm attempts in your web server logs. Your best weapon against these attacks is to monitor, be diligent in your reporting to the proper authorities and always enforce a strong password policy.
Refrences
SANS Mailing Lists- http://lists.sans.org/
ARIN - http://www.arin.net/
Tattle - http://sodaphish.com/files/tattle
Never Before Seen - http://www.ranum.com/security/computer_security/code/
p0f - http://lcamtuf.coredump.cx/p0f.shtml

source: http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/


# posted by dark master : 7/16/2005 10:44:00 AM  0 comments

Battlefield Band-Aids

HemCon bandage
The chitosan bandage.

While soldiers have more high-tech equipment at their disposal than ever before, the number one cause of death on the battlefield is still a very human one: bleeding.

But, as this ScienCentral News video reports, that may change with the arrival of a new, high-tech bandage.

Shrimp Cocktail May Save Lives

Army medics dress bullet wounds with the same gauze bandage you have in your medicine cabinet at home, the same gauze that’s been used for centuries. But all gauze can do is soak up blood. It does not actually stop bleeding, and is useless for staving off the types of injuries that can cause someone to bleed to death in a few minutes.

But now, scientists have created a bandage that is actually able to clot a bullet wound in less than a minute. The bandages are laced with a mixture of ground shrimp shells and vinegar, a concoction that has been found to clot blood instantly. The key ingredient in the shrimp shells is called chitosan.

“Chitosan is a ubiquitous substance,” says Dr. Kenton Gregory, a cardiologist from Providence St. Vincent Medical Center in Portland, OR. “It’s the second most abundant substance on the planet.” Chitosan is found in the shells of other crustaceans besides shrimp, and also in insect shells.

The bandages were developed by HemCon, Inc., which develops and markets technologies to control severe bleeding for traumatic skin and organ injuries. Gregory, who co-founded HemCon, says chitosan interacts with our blood cells because its molecules carry a positive charge. “The outer membrane of a red blood cell has a negative charge," he explains, "and opposite charges attract. The red cell is attracted to the positively-charged chitosan, and when it touches, it fuses and forms a blood clot.” When a clot forms, the bleeding stops. And unlike a regular bandage, which slips off when wet, the HemCon bandage becomes adhesive and sticks to the wet wound site, sealing and stabilizing it.

“Bleeding is the single largest cause of death on the battlefield,” says Jim Hensel, President and CEO of HemCon. “The technology that exists today prior to the HemCon bandage is a compression bandage and a tourniquet, which is the same thing used in the Civil War, the Revolutionary Way, and frankly, the Trojan War.”

Not Just for Soldiers

While the bandages are currently being produced exclusively for the military, Hensel is aiming for the civilian market. “We’d like to hope that everyone will put one of these in their glove box, and in their tackle box, and have several in their home.”

He also sees many other ways to use them, including in the operating room. “This bandage is made out of bio-compatible materials, which means that we can make an implantable device. In two or three years, after we do more testing and clinical trials, we believe that this product will be used as the mechanical closure for soft tissue injuries—injuries such as liver, spleen, and lung—all of which are difficult to repair.”

Besides of its blood clotting ability, chitosan may have another practical use. Dr. Gregory’s research shows that chitosan also binds bacteria and may kill them. His team poured bacteria onto the bandages, and when they checked under the microscope, the bacteria were all dead. “Although we are not formally claiming that these bandages kill bacteria,” says Dr. Gregory, “the research is there to support it.”

For now, 400 HemCon bandages have already shipped to the U.S. Army, and five were sent directly to the White House. And there’s a supply of 26,500 bandages that will go to the U.S. government over the next several months.

“We’ve developed these bandages so you could treat yourself,” explains Dr. Gregory. “If you got shot in the arm or the leg, you could literally open one of these packages with your teeth and one hand, and just put it on, put pressure on the wound, and it should stop the bleeding.”

Army doctors believe a bandage like this could have saved up to 6,000 lives during the Vietnam War.

The research was supported by the U.S. Army and private funding. Results of experiments on the bandages were published in the Journal of Trauma in January, 2003.

source:http://www.sciencentral.com/articles/view.php3?article_id=218391915&cat=2_4


# posted by dark master : 7/16/2005 10:42:00 AM  0 comments

NASA Reveals Dust Devil Data from Mars

"NASA reports that Martian dust devils could be much more destructive than previously considered. You may remember this past April when it was revealed that whirlwinds actually helped the current rovers by cleaning accumulated dust from their solar cells which increased their energy collection efficiency. But after studying the mini-storms more, they realize that the dust and sand particles could cause static electricity discharges, also known as lightning. The high speed grains of sand blowing around at about 30 meters/second (70 miles per hour) are nothing to blink at either, since they can damage astronauts or equipment on the Martian surface. The height of a Martian dust devil can reach 10km (6 miles), which means it's more like the size of a terran tornado."

source:http://science.slashdot.org/article.pl?sid=05/07/16/1327210&tid=160&tid=14

# posted by dark master : 7/16/2005 10:41:00 AM  0 comments

N.M. Site Marks Anniversary of Bomb Test

Scientists and workmen rig the world's first atomic bomb to raise it up into a 100-foot tower at the Trinity Test Site in the desert near Alamagordo, N.M., in July 1945. The first atomic bomb test, known as the Manhattan Project, took place July 16, 1945. The Trinity Site generally is open to the public only twice a year, the first Saturday in April and October. This year, the site will be open for tours for the 60th anniversary, Saturday, July 16. (AP Photo/File)
Scientists and workmen rig the world's first atomic bomb to raise it up into a...

ALBUQUERQUE, N.M. - Herb Lehr hasn't been to Trinity Site since the day a mushroom cloud filled the early morning sky in the New Mexico desert.

Standing 12 miles from the blast, he looked toward the Oscura Mountains and watched as scientists detonated the first atomic bomb 60 years ago Saturday, ushering in the nuclear age.

"All of a sudden this very bright light came out and where I was, it was intense enough that the whole mountain range itself was completely whited out," he said. "I could see the ball and fire rising up. It was sort of awe-inspiring."

This Saturday, Lehr will guide a tour bus from the National Atomic Museum in Albuquerque to the Trinity Site, on what is now the Army's restricted White Sands Missile Range.

More than 5,000 people visited the site for the 50th anniversary, and officials said they are prepared for an increase for the 60th. But just like the 50th anniversary, no special events or speeches are planned.

For more than a year, Lehr was part of the top-secret Manhattan Project in Los Alamos that developed two atomic bombs that essentially stunned Japan into surrender and ended World War II. Tens of thousands of people died when the bombs were dropped on Hiroshima and Nagasaki in August 1945.

Lehr said he never fully understood the impact the bombs would have. Nevertheless, he said he would do it again.

"In a lot of respects I felt as if I had done something worthwhile," said Lehr, 83. "I am in no way ashamed of what I had done in any way, shape, matter or form. I did what I was told to do. I did it to the best of my ability."

At Trinity Site, visitors can walk on Ground Zero, where the bomb was detonated from a 100-foot steel tower that was vaporized by the blast.

Ground Zero, now a gentle depression in the desert, is marked by a lava obelisk with a simple inscription: "Trinity Site, Where the World's First Nuclear Device Was Exploded on July 16, 1945."

Along the fence line hangs a pictorial history of what happened there.

Not everyone is happy with that history.

Anti-war groups planned to protest the anniversary at the National Atomic Museum on Friday. Bob Anderson of Stop the War Machine said celebrating the development of weapons sheds blood on the nation's morality.

"It glosses over all the political and human tragedies that occurred as a result of the Trinity blast and the use of weapons on Japan," Anderson said. "We just think that's probably a more important message than trying to glorify the weapons."

Lehr said it is unfortunate the bombs were used for war. But the development of a nuclear bomb was a race among scientists around the world that couldn't be stopped, he said.

"I'm just interested in going and seeing it and maybe getting some memories back," said Lehr, who now lives in Mesa, Ariz. "Los Alamos was a whole interesting experience. It was something unique. I worked very hard down there."

source:http://news.yahoo.com/s/ap/20050715/ap_on_re_us/atomic_anniversary



# posted by dark master : 7/16/2005 10:40:00 AM  0 comments

This page is powered by Blogger. Isn't yours?