Topic: SSH Attack?

[allun]

OK, so i started noticing this in my messages log a few minutes ago:

----------------------------------------------------
Aug 11 14:48:21 mancosports01 sshd[20241]: Failed password for test from 202.134.124.212 port 53677 ssh2
Aug 11 14:48:27 mancosports01 sshd[20245]: Illegal user guest from 202.134.124.212
Aug 11 14:48:27 mancosports01 sshd[20245]: Failed password for illegal user guest from 202.134.124.212 port 53739 ssh2
Aug 11 14:48:32 mancosports01 sshd[20247]: Failed password for admin from 202.134.124.212 port 53810 ssh2
Aug 11 14:48:36 mancosports01 sshd[20252]: Failed password for admin from 202.134.124.212 port 53853 ssh2
Aug 11 14:48:40 mancosports01 sshd[20254]: Illegal user user from 202.134.124.212
Aug 11 14:48:40 mancosports01 sshd[20254]: Failed password for illegal user user from 202.134.124.212 port 53899 ssh2
Aug 11 14:48:43 mancosports01 sshd[20256]: Failed password for root from 202.134.124.212 port 53924 ssh2
Aug 11 14:48:47 mancosports01 sshd[20260]: Failed password for root from 202.134.124.212 port 53943 ssh2
Aug 11 14:48:50 mancosports01 sshd[20262]: Failed password for root from 202.134.124.212 port 53967 ssh2
Aug 11 14:48:55 mancosports01 sshd[20264]: Failed password for test from 202.134.124.212 port 53980 ssh2

------------------------------------------------------

looking at the timing it seems to be an automated attack ...probably trying common user/pass combinations.  

I immediatley panicked and closed SSH off from the internet....but now I'm wondering if this is of any real concern, or is it like the IIS attacks i see in my webserver logs every day?

Is SSH a security risk (i mean in a practical sense, i am aware that running ANY service on the internet is a risk)?

Do many people out there feel comfortable leaving SSH open all the time?

This kinda relates to the port-knocking implementation I have been trying to get working on my SME box, because getting that up and running would effectively  allow me to leave any port i wanted "open" whilst leaving it closed.  see www.portknocking.org for a better explanation.....has anyone else tried this on SME?

[byte]

Hi,

This should really be posted to security@contribs.org otherwise you might have let others know about the risk and get hacked!

Btw that though what version of Contribs you running? I know there has been updates for openssh for the 6.0.1 "takeoff"

I myself would never leave ssh open a the internet unless i REALLY have to...I like to limit the ports I have open    

REMEMBER ALWAYS POST SECURITY FLAWS TO CONTRIBS!!

[ricrjhl]

OK, so i started noticing this in my messages log a few minutes ago:

----------------------------------------------------
Aug 11 14:48:21 mancosports01 sshd[20241]: Failed password for test from 202.134.124.212 port 53677 ssh2
Aug 11 14:48:27 mancosports01 sshd[20245]: Illegal user guest from 202.134.124.212
Aug 11 14:48:27 mancosports01 sshd[20245]: Failed password for illegal user guest from 202.134.124.212 port 53739 ssh2
Aug 11 14:48:32 mancosports01 sshd[20247]: Failed password for admin from 202.134.124.212 port 53810 ssh2
Aug 11 14:48:36 mancosports01 sshd[20252]: Failed password for admin from 202.134.124.212 port 53853 ssh2
Aug 11 14:48:40 mancosports01 sshd[20254]: Illegal user user from 202.134.124.212
Aug 11 14:48:40 mancosports01 sshd[20254]: Failed password for illegal user user from 202.134.124.212 port 53899 ssh2
Aug 11 14:48:43 mancosports01 sshd[20256]: Failed password for root from 202.134.124.212 port 53924 ssh2
Aug 11 14:48:47 mancosports01 sshd[20260]: Failed password for root from 202.134.124.212 port 53943 ssh2
Aug 11 14:48:50 mancosports01 sshd[20262]: Failed password for root from 202.134.124.212 port 53967 ssh2
Aug 11 14:48:55 mancosports01 sshd[20264]: Failed password for test from 202.134.124.212 port 53980 ssh2

------------------------------------------------------

looking at the timing it seems to be an automated attack ...probably trying common user/pass combinations.  

I immediatley panicked and closed SSH off from the internet....but now I'm wondering if this is of any real concern, or is it like the IIS attacks i see in my webserver logs every day?

Is SSH a security risk (i mean in a practical sense, i am aware that running ANY service on the internet is a risk)?

Do many people out there feel comfortable leaving SSH open all the time?

Because of your message I checked my log and found the same type of entry’s there. Did a search with Google and found amongst others the following: http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999

Seems we are not the only one having this problem. Seems the script kiddies have got a new tool to look for SSH vulnerabilities.

I recently already upgraded OpenSSH to the latest version (3.8.1.pl1) and have now also switched to only use public key authentication for login thru SSH. I think (knock on wood) that I am safe now .

ricrjhl.

[paulmancan2]

I noticed lots of these in my logs also. I think I will switch to keyed authentication:

http://www.wellsi.com/sme/ssh/ssh.html


Now can anyone tell me regarding upgrading OpenSSH3.7.1 to the current 3.8.1.... I installed these on SME 5.6 and seems to work fine:

openssh-3.8p1-1.norlug
openssh-server-3.8p1-1.norlug
openssh-clients-3.8p1-1.norlug

But I am wandering about the current existing e-smith-openssh-1.8.1-02... is that the panel I guess? Nothing needs to change here?

Thanks!

[GetRighT]

I have not been able to google me to an 100% answer, but it seems there is a ssh worm crawling around.

It tries to login with: guest, admin, root, test with the same password as the user. If it gets in, it will install a rootkit and use that server to spread it self further.  

I would be glad to hear from someone who actually knows what this is.  

[rexgaylord]

I don't know what it is either, but it takes my server all the way down, have to power off to get it back.  I'm going to deny access to ssh internal and external and see if that makes a difference.  I have had this take me down up to 3 times in one day now.

[rexgaylord]

Turning ssh off didn't stop the attacks, any ideas?

[RavenIV]

Hi,
This should really be posted to security@contribs.org otherwise you might have let others know about the risk and get hacked!
quote]

i don't think that it is a SME-problem or a security-problem.
someone or something is trying to get into our servers and do something bad.

everyone should disable external ssh, if it is not needed.

so hopefully the kiddies get bored and stop this.

cheers
klaus

[funkusmunkus]

Hi guys,

I posted this in the general forum area, i also spotted those logon attempts, and found one machine after being scanned with the standard admin root test and guest users was faced with a 2 and 1/2 hour logon attempts at 3 per 10 seconds as root, they couldn't actually do anything since I'm not running sme 4 or something, and ssh is v2, the only thing they could do is try and guess the password, and unless you have an easy password i wouldn't really worry about it.
the scan i think was a prelude to the bigger attempt.
and Ray suggested i disable remote ssh and vpn then ssh locally.
now my logs are clean.
If your running an old version of e-smith update it and make sure you have a nice complex password and you should be fine.

well that's my 2 c
hope that helps  
cheers

[onsy]

Hello,

As all but everyone concluded, these attempts are :
  1. automatic
  2. simple in the sense that they just try to connect with trivial passwds on common logins (root, test, user, ...).

So, I think it isn't worth panicking and closing ssh and so on. Just applying the more basic measure of security, i.e. choosing strong passwords for these logins, will protect SME from those attacks.
Another conclusion : those attacks won't stop before long as they are initiated from a prog for script kiddies that apparently is widely spread.

So, to keep it short : renforce your passwords and keep cool, guys !