Admins warned of brute-force SSH attacks

May 14, 2008 – 4:01 PM

Over the weekend, a number of network administrators issued warnings over an order-of-magnitude increase in the number of attempts to guess the username and password of systems running secure shell (SSH), the encrypted access method that replaced the common telnet service. System administrators at universities and some companies have reported login attempts coming from hundreds and thousands of Internet addresses over the past week, a stark increase from the handful of attacks the administrators saw previously.

The Internet Storm Center, a network monitoring team supported by the SANS Institute, warned system administrators on Monday to take steps to protect their systems, noting the sharp spike in attacks.

“From the most recent reports I have seen, the attackers have been using either ‘low and slow’ style attacks to avoid locking out accounts and/or being detected … (or) using botnets to do a distributed style attack which also is not likely to exceed thresholds common on the network,” Scott Fendley, a handler at the SANS Internet Storm Center and university network administrator, wrote in an ISC advisory.

Secure shell — the replacement for unencrypted telnet sessions — allows command line access to remote servers using encrypted and authenticated communications. Universities frequently have SSH enabled to allow researchers to remotely access their systems. In 2004, unknown attackers broke into many of the SSH accounts that allowed access to academic supercomputing centers.

In the latest attacks, the University of California at Berkeley saw more than 200 Internet addresses probing its servers on Monday, up from 31 the previous week, according to John Ives, a senior security analyst for the school. The attacks appear to be dictionary attacks, attempting to use common usernames and passwords to gain access to servers.

“We have always thought these attacks were serious,” Ives said in an e-mail interview with SecurityFocus. “It’s just that in the past week, the number of them has risen dramatically.”

By Tuesday, that attacks had fallen by half, according to data provided by Ives. The ISC also saw a sharp peak on Monday, with a slight drop on Tuesday.

Machines that are compromised by the attacks typically are used to set up an Internet Relay Chat (IRC) server to act as a hub for a botnet, Ives said. In some other cases, the infected systems are conscripted into the search for more vulnerable systems, he said.

The spike in attacks likely has little to do with an advisory released on Tuesday, warning of a flaw in the way that an open-source version of SSH, known as OpenSSH, generates encryption keys for Ubuntu and Debian Linux systems, security experts said.

Instead, password-only authentication is the problem, Ives said.

“Given enough time, any password can be broken, and a lot of them can be broken with relative ease because humans are, to a degree, lazy and will almost always opt for non-random, easy to recall — and hence easy to guess — passwords,” he told SecurityFocus.

While reports posted to the University Security Operations Group (UniSOG) mailing list seemed to indicate that the attacks were primarily coming from Korea, the Internet Storm Center’s DShield monitoring system found more widespread activity, Fendley said. While the attack servers mainly came from Internet address space in China, India, Korea, Japan, Iran and Taiwan, some of the traffic also emanated from networks in the Netherlands, Italy, France and the United States.

“The geographic spread to this activity seems to support the attacks are originating from a botnet, but the data is not conclusive at this point in time,” Fendley said.

And while the reports mainly are coming from the academic world, the DShield network has had logged many incidents affecting corporate networks as well, said Marc Sachs, who volunteers as the director of the Internet Storm Center.

“There is hypersensitivity in the universities, but we don’t think it is limited there,” said Sachs. “We see a lot more attacks against dot-com then against dot-edu.”

The ISC recommended that administrators either blacklist reportedly bad domains from accessing the SSH service or whitelist only those parts of the Internet from where valid users would typically log in. Also, using hard-to-guess usernames will likely prevent the attack, the ISC stated in an advisory. An Infocus article published on SecurityFocus in 2006 carries similar recommendations.

Source: Security Focus