View previous topic :: View next topic |
Author |
Message |
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9847 Location: almost Mile High in the USA
|
Posted: Tue Jan 14, 2020 8:58 am Post subject: ssh distributed dictionary attack... how many requests/sec? |
|
|
curious of what other people are getting...
I'm getting almost 1 per 1.5 seconds on average for the past few months it seems. I started port blocking most of them as they tend to be the same hosts for large number of attempts, but there are the small fish that are equally as annoying. Almost 4000 unique hosts so far this year (2 weeks of attacks through Jan 14th).
Anyway with my current fail banning I got it down to about 15-20 attempts per hour that slip past the bans. This should at least slow down the dictionary about two orders of magnitude per hour. So at least I don't send responses but sh*t is still coming in. My IP link is not all that fast, I didn't calculate out how many bytes/sec this comes out to be...
I had forgotten I set up a secondary nonstandard port for ssh in case I locked myself out, but it seems they portscanned me and found it -- and started attacking that too. So I was forced to disable that, seems even if I moved my main port elsewhere, it wouldn't help for long.
*sigh* _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54642 Location: 56N 3W
|
Posted: Tue Jan 14, 2020 9:34 am Post subject: |
|
|
eccerr0r,
Is key based ssh login an option?
The attack will be guessing user names and passwords.
That does not stop the wasted bandwidth though. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9847 Location: almost Mile High in the USA
|
Posted: Tue Jan 14, 2020 9:38 am Post subject: |
|
|
Oh I'm not worried about them breaking into an account, password or kex. It's the wasted bandwidth I'm more worried about in general. Blocking the incoming packet at least saves my machine from transmitting outgoing packets, which is a more limited resource. But it's still wasting downlink.
At this point I just wonder if I'm being targeted more than other people or not for some reason or another. Curious if there's something that makes people want my machine more than others. or not. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
xahodo Tux's lil' helper
Joined: 17 May 2007 Posts: 82 Location: Gouda, the Netherlands
|
Posted: Tue Jan 14, 2020 9:45 am Post subject: |
|
|
How about using port knocking? Leave ssh off and redirect all traffic coming in through the port to a tarpit, unless the correct knock comes in. If that happens, ssh is enabled and you can login. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9847 Location: almost Mile High in the USA
|
Posted: Tue Jan 14, 2020 9:47 am Post subject: |
|
|
Again this does not help against the bandwidth waste. If I was really concerned about temporarily unlocking sshd, I think I could easily hack up something silly for apache to unblock sshd, but this is besides the point...
... why me, or is everyone getting these things at 1-2 seconds apart? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54642 Location: 56N 3W
|
Posted: Tue Jan 14, 2020 10:07 am Post subject: |
|
|
eccerr0r,
My logs for a bare metal box in a data centre are ..
Code: | /var/log/sshd # ls -l
total 4768
-rw-r--r-- 1 root root 972143 Jan 14 09:47 current
-rw-r--r-- 1 root root 1048582 Jan 12 23:37 log-2020-01-12-23:37:53
-rw-r--r-- 1 root root 33277 Jan 12 23:56 log-2020-01-13-00:00:17
-rw-r--r-- 1 root root 1048614 Jan 13 09:40 log-2020-01-13-09:40:09
-rw-r--r-- 1 root root 1048599 Jan 13 19:05 log-2020-01-13-19:05:52
-rw-r--r-- 1 root root 686859 Jan 14 00:00 log-2020-01-14-00:00:02 |
I get bursts. Today, they have only been attacking root, which isn't very clever.
Its a lot quieter on a KVM on the same IPv4 address that has its ssh on a non standard port.
Code: | /var/log/sshd # ls -l
total 676
-rw-r--r-- 1 root root 45423 Jan 14 09:56 current
-rw-r--r-- 1 root root 137909 Jan 9 23:59 log-2020-01-10-00:00:21
-rw-r--r-- 1 root root 117658 Jan 10 23:59 log-2020-01-11-00:01:21
-rw-r--r-- 1 root root 150619 Jan 11 23:58 log-2020-01-12-00:01:05
-rw-r--r-- 1 root root 105738 Jan 12 23:59 log-2020-01-13-00:01:05
-rw-r--r-- 1 root root 98557 Jan 13 23:57 log-2020-01-14-00:00:02 |
I don't know why I still have IPv4 ssh set up there as I only ever use ssh over IPv6.
Compare log file sizes for a rough approximation. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Jan 14, 2020 11:38 am Post subject: |
|
|
Mine's somewhat quieter.
Code: | /var/log/sshd # ll
total 1024
-rw-r--r-- 1 root root 18081 Jan 14 11:28 current
-rw-r--r-- 1 root root 2549 Feb 11 2019 log-2019-02-12-04:44:04
-rw-r--r-- 1 root root 2876 Feb 12 2019 log-2019-02-13-01:07:26
-rw-r--r-- 1 root root 3941 Feb 13 2019 log-2019-02-14-01:00:16
-rw-r--r-- 1 root root 4552 Feb 14 2019 log-2019-02-15-01:46:04
-rw-r--r-- 1 root root 3084 Feb 15 2019 log-2019-02-16-06:34:13
-rw-r--r-- 1 root root 92063 Mar 14 2019 log-2019-03-15-10:01:18
-rw-r--r-- 1 root root 95077 Apr 13 2019 log-2019-04-14-02:44:03
-rw-r--r-- 1 root root 87435 May 13 2019 log-2019-05-14-11:31:09
-rw-r--r-- 1 root root 100064 Jun 12 2019 log-2019-06-13-06:11:57
-rw-r--r-- 1 root root 73488 Jul 12 2019 log-2019-07-13-01:37:48
-rw-r--r-- 1 root root 97801 Aug 12 00:27 log-2019-08-12-00:21:20
-rw-r--r-- 1 root root 88495 Sep 11 00:51 log-2019-09-11-00:01:33
-rw-r--r-- 1 root root 66994 Oct 10 19:28 log-2019-10-11-02:57:13
-rw-r--r-- 1 root root 71068 Nov 9 23:57 log-2019-11-10-00:19:08
-rw-r--r-- 1 root root 132524 Dec 9 20:20 log-2019-12-10-03:02:14
-rw-r--r-- 1 root root 74294 Jan 8 07:26 log-2020-01-09-02:03:29 |
No firewall, I just run it on a different port. I count exactly 1 unknown connection attempt in the logs (after filtering out known lines) and it appeared to be a blind port scan. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9847 Location: almost Mile High in the USA
|
Posted: Tue Jan 14, 2020 5:26 pm Post subject: |
|
|
Nice. My log files are like 16MB compressed per month now. This is current so far this month:
Code: | -rw-r----- 1 root wheel 139837513 Jan 14 10:48 messages |
Last time I had a small compressed logfile archive was about 2 years ago, and it was 800KB (gzipped).
This is virtually a baremetal box as in it's a VM exposed to the outside world on the standard port. No advantage to being a VM other than being lazy and not wanting to reinstall the machine it replaced. The machine was my first ever Gentoo install whose disk image is still being used, still being updated since 2004!
The attacks I'm getting are for lots of random account names along with root, though with blocking I don't see the account anymore (of course). I might have to dedicate sshd (and smtp) stuff into its own file just so I can keep my other logging information clean of this garbage.
I still don't get why me. My network is slow.
I also wonder how fail2ban will work for ipv6 ... *shiver* will it need to ban /64's or more?
---
Edit
---
Kind of funny why am I bothering logging these syn packets. I think it's around 60-70 bytes for a SYN packet, and the default Linux log string saves almost 256 bytes in syslog, so I'm logging 4x the number of characters actually coming in... :)
---
Also
---
I'm up to thousands of /24s blocked in my iptables... Kind of funny watching iptables insert all the bans, it gets slower and slower to insert another rule as more and more get inserted...
---- 12 hours later ----
Code: | -rw-r----- 1 root wheel 146369057 Jan 14 22:21 messages |
12 MB/day is it???
---- day later ----
Looks like there's a calm in the storm... there are a few minutes where I get no ssh connection attempts within the minute, but now I get a lot more ICMP packets. I suspect it's a *little* better since ICMP is smaller than TCP packets, but neither do me any good. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Thu Jan 16, 2020 10:22 pm Post subject: |
|
|
I picked up using ipset just because I imagined one day I'd have (or somebody other than me might claim) a need to ban thousands. One iptables rule to check the ipset. Never in my wildest dreams would I be banning thousands. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9847 Location: almost Mile High in the USA
|
Posted: Fri Jan 17, 2020 12:01 am Post subject: |
|
|
neat, didn't know about ipset, I may have to transition to that, this is starting to get slow.
I'm surprised nobody has ended up having to ban thousands. Right now I've actually not added to the ban list if the host only had one attempt, and I still have a net banlist with 1400 lines. The script tries to choose a /24 or /16 (!) ban depending on how many uniques try...
---
Well, I'm now transitioned to ipset -- and also changed my script from bash to perl, I can fully reprocess my banlists in just a few seconds where it was taking several minutes before... So much better... thanks.
I also wonder why people aren't dealing with thousands of bans, I suspect most people are seeing distributed dictionary attacks...
In fact the list of hosts that I ban probably would be of value to some people to populate their ban lists.
I'm now up over 4000 unique hosts, which crunches down to about 3500 /24's, and 2000 /16's if there are more than one /24 in the /16 in the botnet. The scary thing is that I'm not sure if this is all one botnet or multiple botnets, quite possibly there is more than one bad actor here.
Code: | -rw-r----- 1 root wheel 159819144 Jan 16 18:44 messages |
_________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 3007 Location: Edge of marsh USA
|
Posted: Fri Jan 17, 2020 5:35 am Post subject: |
|
|
I can't advise to help more with the bandwidth, but, in addition to using a non-standard ssh port, also set:
a low login grace time
a low MaxAuthTries, i.e. 2 or 3
definitely don't allow root user with a password (default)
consider using the AllowUsers to only allow one or the minimum actual users
consider using unusual or not common usernames, i.e. not fred, mike, sam, andy etc.
of course, use a hideous, long, impossible to guess password
Those are the main tricks I have up my sleeve.
I stopped reading firewall logs and I don't watch the stock market. I don't have the time or the disposition for it.
After reading this thread, I'm paranoid again. But, I must be doing somethings right.
Code: | jeremiah /var/log/sshd # ll
total 24
-rw-r--r-- 1 root root 3921 Jan 17 00:49 current
-rw-r--r-- 1 root root 2145 Jan 12 17:33 log-2020-01-13-00:16:06
-rw-r--r-- 1 root root 929 Jan 13 17:17 log-2020-01-14-19:16:41
-rw-r--r-- 1 root root 949 Jan 14 17:06 log-2020-01-15-13:17:19
-rw-r--r-- 1 root root 880 Jan 15 15:58 log-2020-01-16-12:46:09
-rw-r--r-- 1 root root 92 Jan 16 07:46 log-2020-01-17-02:19:47
|
_________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Fri Jan 17, 2020 9:26 am Post subject: |
|
|
The solution is endlessh an ssh tarpit to slowdown attackers:
https://github.com/skeeto/endlessh
https://nullprogram.com/blog/2019/03/22/ _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Fri Jan 17, 2020 11:07 am Post subject: |
|
|
I'm banning thousands now - but when I took up the task of learning how to use ipset, I didn't imagine that my system would ever have a practical need for it.
I ban by the /24. Some attackers (not many) attack from multiple IP, so my "ban counter" -- which times out attempts after minutes -- converts each individual IP (a /32) into the associated /24, and banning covers that chunk. Of the banned IP's, some of the /24's come from the same /16. I'm pretty sure if I banned by the /16 I'd still have thousands of entries. One machine is now hovering around 1500 bans (that's the one with ssh on port 2223), the other around 3000 (ssh port is 2222) but has been as high as 7000. |
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Fri Jan 17, 2020 11:10 am Post subject: |
|
|
Thanks for that tarpit suggestion. Great idea. |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Fri Jan 17, 2020 12:49 pm Post subject: |
|
|
The scanners evolved and now drop the connection if they don't receive an answer quickly, however it will slow them down:
Code: |
2020-01-17T10:57:48.552Z ACCEPT host=24.100.79.217 port=36409 fd=4 n=1/4096
2020-01-17T10:58:18.570Z CLOSE host=24.100.79.217 port=36409 fd=4 time=30.018 bytes=34
2020-01-17T11:52:47.514Z ACCEPT host=78.131.11.10 port=37938 fd=4 n=1/4096
2020-01-17T11:52:47.521Z ACCEPT host=78.131.11.10 port=37940 fd=5 n=2/4096
2020-01-17T11:53:07.532Z CLOSE host=78.131.11.10 port=37938 fd=4 time=20.018 bytes=32
2020-01-17T11:53:07.532Z CLOSE host=78.131.11.10 port=37940 fd=5 time=20.011 bytes=27
|
sendin a char every 5s instead of the default of 10s will keep them hanged for a longer time. _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9847 Location: almost Mile High in the USA
|
Posted: Fri Jan 17, 2020 6:06 pm Post subject: |
|
|
How does the tarpit affect legitimate users also using password authentication?
I suppose if there's early on in the authentication that one is planning to use PKA that maybe this would work if one had the keys ready, but it seems like this would cause legitimate password users to fall into the pit as well.
Anyway after a few days of instituting simple /24 or /16 packet drop, the ssh attempts dropped a lot - still getting a few as they have a lot more machines than I have in my list, but at least the number of attempts have gone down significantly. The number of ICMPs has increased somewhat, but my network is a lot quieter than it was before. Before my machine was constantly sending and receiving packets, now I occasionally see 10 second breaks where there's silence.
Undesirable packets now received, roughly...
- fixed ssh port, few times per minute. Most are blocked but guessing passwords at 1 per 5 minutes is going to take a LONG time.
- fixed, alternate ssh port that I was using but now closed, once every 5 minutes or so. Looks like a handful of machines.
- Random port scans. People are distributedly trying to scan random ports on my machine. About a few a minute.
- Random pings - usually people send one ping from multiple hosts, also a few a minute
- Traceroute. Some people seem to be tracerouting me for whatever reason. once every 5 minutes or so.
People are occasionally attacking my IMAP server, but those don't happen frequently.
I am dismayed I had to go to these measures, breaking TCP/IP standards, just to reduce the amount of traffic I send out that does not benefit myself.
("fun" staring at tcpdump / wireshark output ... blahh...) _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Fri Jan 17, 2020 7:00 pm Post subject: |
|
|
eccerr0r wrote: | How does the tarpit affect legitimate users also using password authentication? |
I am thinking about using https://linux.die.net/man/1/knockd for that, but I have noticed that redirecting port 22 and 2222 to the tarpit has reduced A LOT the attempt, most of them give up after attempting at port 22 some other try also port 2222 (all tutorials suggest to use 2222 as alternate port, they just try), the actual ssh port that I use is super secret and does not end in 22
eccerr0r wrote: |
People are occasionally attacking my IMAP server, but those don't happen frequently. |
I require a certificate to log into the IMAP port with dovecot, and use K9 on Android to read my mail, that has also reduced a lot the attempts on the IMAP ports.
I still have to find a good solution for the smtp port, sometimes there's a lot of unwanted traffic there as well. _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Fri Jan 17, 2020 10:17 pm Post subject: |
|
|
not sure, we're all in the same spirit?
we talking about exposing our network to the internet. right?
well. postfix is a shit box. so much punishment from the internet. I'm glad I use postfix.
Like today was one of the worst days. over 10.000 different smtpd requests. from non fqdn and hosts that didn't have a reverse, or were listed on spamhaus.
Most days nobody knocks. today it was like a freaking explosion of attacks. from random ips. I just... started early... make a note, redirect to honeypot... come back later.
I can't ever get my honeypot right. I made a server. Whatever mail u want to send.. sure.. send it. whatever user and password u wanna try. sure... login. i made each line of code. i know my honeypot well. it does imap and pop and smtp but... even when you blindly like give access to someone, they wont do much with it.
like for the longest time I was bothered by access on cyrus imap. the pop3, the imap, the pop3s and imaps. and could figure out what was going on.
so instead of just iptables -j REJECT | DROP I decided to DNAT their ass to a honey pot. where the password would always be accepted. they would always get to send their fucking smtpd mail. and u know what they do? nothing. disconnect and move on. they are simply fishing.
which... bugged the living hell out of me. I'm currently looking for correlations with dns. like... one thing I have going for me... if they want to spam me, they gonna look at dns. and I can change that every hour.
u can't mail me if you dont know my mx. and changing the mx every hour... that ... gives some info. most people would not know the difference. but switching mx every hour and looking into dns logging.
now... you would expect... if I was a hacker I would just use google dns. but they dont. they use their own dns. so prior to every attack, ... there are some dns queries. like one second apart. |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Fri Jan 17, 2020 10:46 pm Post subject: |
|
|
botnet _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Fri Jan 17, 2020 10:49 pm Post subject: |
|
|
I have one user. poor old me.
i hope they dont read that and leave me alone. I would get bored. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Jan 17, 2020 11:52 pm Post subject: |
|
|
erm67 wrote: | I require a certificate to log into the IMAP port with dovecot, and use K9 on Android to read my mail, that has also reduced a lot the attempts on the IMAP ports.
I still have to find a good solution for the smtp port, sometimes there's a lot of unwanted traffic there as well. |
I do something similar, only exposing IMAP to the LAN and Wireguard. Don't have a good answer to the SMTP thing either, best I can do is greylisting. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Fri Jan 17, 2020 11:55 pm Post subject: |
|
|
that's like cyrus port 993. imaps. yeah we all have that.
what do you do about legacy 25 port. ) |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Fri Jan 17, 2020 11:56 pm Post subject: |
|
|
or who was the last guy checking out the dns logs. seriously. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9847 Location: almost Mile High in the USA
|
Posted: Sat Jan 18, 2020 12:06 am Post subject: |
|
|
Yes the idea is to have a box exposed to the full internet, with personal "cloud" services. This is my piece of the cloud. Having everything blocked off of course would stop all "unwanted interest" but then I wouldn't have remote access yet still have full control of my hardware and data.
I would suspect hackers would rather want an ssh interactive account over imap/smtp or http account (most of these accounts nowadays are run as the same "user" and all are virtual accounts these days). I'd think those that attack these services are more for the mail data or identity theft, instead of the ssh interest for an interactive account that they could run arbitrary commands. But yes these are botnets, more likely botnets seeking to expand their botnet. I do wonder how many unique botnets, tough to tell.
Incidentally I do not get a whole bunch of smtp spam open relay searches. They end up getting dropped due to unwanted relay or spamhaus rejects. By far most of my attacks are ssh.
Question is, though one attack is annoying, how many over how long is worrisome?
And the other thing is that I get an eerily large number of ICMP echo requests -- not so much that it's DoS/DDoS, but there are people out there curious to know if my machine is up for whatever reason. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6177 Location: Dallas area
|
Posted: Sat Jan 18, 2020 12:47 am Post subject: |
|
|
eccerr0r wrote: | And the other thing is that I get an eerily large number of ICMP echo requests -- not so much that it's DoS/DDoS, but there are people out there curious to know if my machine is up for whatever reason. |
You could always turn off responding to echo requests. _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
|