Saturday, March 14, 2009

SSH brute force attack

Recently I bought a dedicated server. One of the provider's admin, which installed the system added an account called "admin1". First I wanted to remove it, but I thought it may be used for some checks and I let it stay. One month later there was some activity on that account from an IP in a "strange" country let's say. I asked the provider about it and they had no idea.
Luckily the box was not compromised since the user didn't got any root access, I killed his processes and removed the account, but I still needed an answer for this mess.
And here it was, after some hundreds sshd[3157]: (pam_unix) authentication failure; there was one sshd[12358]: Accepted password for admin1 from X.X.X.X

A classical brute force attack on a weak password, so make sure you change every password when you buy a new dedicated server.
And to be even safer, put the SSHD on some other port and add some iptables rules to deny ssh access for other IPs than yours.

2 comments:

VVK said...

"so make sure you change every password when you buy a new dedicated server.
And to be even safer, put the SSHD on some other port and add some iptables rules to deny ssh access for other IPs than yours."

Security through obscurity does not work. Changing SSH port will only thwart the lamest attackers. Also, I am not sure how practical of an advice it is to create firewall rules limiting SSH access to specific IP's. A better approach would be to use two factor authentication such as use of rsa/dsa keys. Of course that is useless unless you disable password based login. Additionally, disable root login via SSH and might even consider specifying which users or groups can remotely SSH in.

Cheers!

VVK

pete greening said...

zomg guys.. if you really want to make it secure implement port knocking. Also, the suggestion to disable passwords login, and root login are both great.