dev/n0ll

I guess the bad people is not taking a Easter Holliday.
They’ve started a distrubed bruteforce attack agains SSH again…

Mostly it’s random ip addresses that are trying. But when the IP addresses actually resolves, there is a lot of mx or mail host that has been compromised and is being used in this attack. Another thought is, if they have managed to compromise an email host they might be in possession of check all mail that will be transferred thru this host. Kind of scary….

** Update **
After 2 weeks of up to 2000 hits pr day, they have moved on.

Some fun facts!
770 unique IP trying 1 to 2 times a day.
64 mail servers, 20 DNS hosts bust mostly unresolved ip (over 400)
Home users with adsl/cabel connection is on the top, probabably not even know that their machines are being used in a bot net….

Christmas is over, New year has been celebrated… It’s time to get started on 2009!
Celebrating christmas at my parents place back in Arendal, I also had the chance of expanding the Æsir-Network. The server park is growing, and I now have a dedicated webserver. In good old spirit I’ve kept on naming them after norse gods, so I hereby welcome BRAGE to the Æsir-Network!

BRAGE is a cute little 1U server, running a minimal FreeBSD config, witch is currently hosting this domain (dev/n0ll.com), Ikkesant.com and as mirror server for PLEX. It might, in the future, also host some other domains.

In other news;
They have given up! – After almost two months with distrubed bruceforce attack against ssh on ODIN, they gave up around new year. (check ssh-stats). When they where going at it at best, ODIN had about 1000 hits per day. (ps, if you look at the graf, something went wrong around new year, as it peaks on 1600 hits over a long periode. This was due to a scripting error….)

So that’s it for now… Stay tuned for more fun news….

I guess everyone have heard about Brute Force Attack towards different services. This can be anything from SSH,Telnet,FTP to webadmin. Basically it is just an mathematical approach to try a large number of username and password. There are two approaches in how to do this. First is to try every combination, you start with 0 as username and 0 with password, and they you just keep on going. This will take a LONG time, but this way you will find a way in. This is in theory… This process can be a lot easier if you know the username. Then you only need to try different password. But even this method will take a long long time. (if the password has some security police, eg, a certain length, and must contain letters, numbers and symbols).

The other method is to do a dictionary attack. There are plenty dictionary out there, that you can use. These attacks are very common. The attacker then use some predefined usernames. e.g. root, admin, operator etc. A dictionary witch common passwords, and then they try. Every combination, and a lot of the time, they get lucky.

The disadvantage, from a crackers perspective, is that the two methods above use only one source ip. This again is easily detected, and can be prevented by eq using SSHGuard or any other program/script that will log invalid/failed logins and ban that ip, by using iptables/pf firewall rules or simply hosts.allow file. This is when distribute brute force comes into the pictures.

A distribute brute force attack, spreads the attack. This means that there are many ips that will fill your log with invalid/failed logins. And because of this, it is much harder to discovery. Special if they use a slow distribute brute force attack principle. This mean that they will only try about 1-2 attempt a day from each ip. Or even less.

I’m currently under such an attack. And it is, for a secure server and only trusted user with strong passwords, only considered background noise. To identify these attacks I’ve restricted SSH access to only some ip ranges. This way, all attempts will be logged as an refused entry.

Yesterday I finally got around to only parsing the last 24 hours from my logs files. And I can now create a nice graph of the current SSH traffic to my host. This creates a picture of the current traffic towards my host.

As you can see, I’ve refused 195 attempts the last 24 hours. And it also looks like the attempts are droping a bit. Have no idea why, but I’ll keep on tracking it, and check how it progress. Maybe they are giving up… After all they have been going at it for over a month now….

For live stats -> SSH stats