# SSH Attacks



## WebSearchingPro (Jul 9, 2013)

I recently got around to setting up "Logwatch" on a few of my servers, and I found it interesting to see how many times a day our servers get attempted SSH authentication. The usernames seem to be quite random, though the IP addresses used are 90% of the time from China. This got me thinking...

Why is it just the Chinese? - Is it easier for them to do, as in less laws regarding this, or the fact that its harder to take action against them..

What do they do when they are successful? - Is it added to a botnet that further attacks other servers, or does it sit idle waiting for a seemingly "homegrown DDoS".

Has anyone attempted to leave a computer open as a "Honeypot" to see what activities they engage in?


----------



## Reece-DM (Jul 9, 2013)

It's always been a issue - people running port 22 as default generally get screwed the most, brute force attacks etc.

Never left a honeypot - not a bad idea actually


----------



## kro (Jul 9, 2013)

Setup a honeypot as mentioned, its quite interesting. Most get turned into mail servers used for massive amounts of spam ^_^


----------



## WebSearchingPro (Jul 9, 2013)

Maybe a Damn-Vulnerable-Linux installation on the open net  with something that checks the filesystem for changes then reports them occasionally.



kro said:


> Most get turned into mail servers used for massive amounts of spam


Ahh yes, Ill have to start checking the headers on my spam emails to see what kind of stuff is there! Thanks for that.


----------



## jarland (Jul 9, 2013)

"Hacking" is a sensitive word between the US and China. There's a lot of blame on both sides of the table. I believe a popular theory is that a lot of these scans from China are government sponsored to gain any intelligence or innovations that they can, from US government/business. The US government is accused of doing the same. Of course, who can prove the motive behind any of it?

While there is more than enough malicious traffic to go around, from all over the world, there are absolutely consistent patterns from China that are difficult to ignore or pass off as mere coincidence. Personally, I've never been able to get an abuse report through to China Telecom.

Fortunately their methods are weak and they mostly only hunt for an easy find. As consistent, persistent, and clearly orchestrated as they may be, I find them laughable at best.

Now every time I post this some jackass pops up and says "Don't talk bad about the Chinese they're my best customers!" To that person, beforehand, I'm not talking about your clients so use the offers forum for your marketing


----------



## Aldryic C'boas (Jul 9, 2013)

> Personally, I've never been able to get an abuse report through to China Telecom.


I was able to get one through, about a year ago. Shortly after, damn near all of our ranges were GFW'd for a good couple weeks. -_-


----------



## WebSearchingPro (Jul 9, 2013)

So its sort of "Taboo"? Is that one of the reasons it has yet to be addressed by either country?

Just perplexes me that the U.S. Government is so stern on internal threats and other countries attacking us. Though this massive scale "doorknob rattling" doesn't seem to be brought up very often. Though it would make sense if it were a 2 way thing, that's why neither side would acknowledge whats going on. But at that point its getting into conspiracy type stuff


----------



## KuJoe (Jul 9, 2013)

I had a nice honey pot that interfaced with our routers and it worked amazingly. We switched to @Damian's script though and it works nicely but requires some monitoring and housekeeping every so often.


----------



## WebSearchingPro (Jul 9, 2013)

*@**KuJoe*, What kind of data did you gather from that? Anything good?


----------



## jarland (Jul 9, 2013)

KuJoe said:


> I had a nice honey pot that interfaced with our routers and it worked amazingly. We switched to @Damian's script though and it works nicely but requires some monitoring and housekeeping every so often.


Ssh check? Yeah I love that thing. Not a false positive yet. I modified it to write to a new chain and I just flush the chain every day. If a single ip pisses me off enough I just black hole it.


----------



## wlanboy (Jul 9, 2013)

Honeypotting is a really nice hobby.

I usually create a VM on my old laptop and create a portforwarding (port 22) from one of my vps to the VM.

Modifying bash to record shell history and forward all input to syslogd. Add AIDE to verify the integrity of files, sit down and watch what's happening.

If they do too much just stop the portforwarding.

Better than using kippo or other ssh shell emulators. But never catched anyone but script kiddies.


----------



## Aldryic C'boas (Jul 9, 2013)

> So its sort of "Taboo"? Is that one of the reasons it has yet to be addressed by either country?


http://en.wikipedia.org/wiki/National_debt_of_the_United_States#Foreign_holders_of_US_Treasury_securities


----------



## WebSearchingPro (Jul 9, 2013)

Aldryic C said:


> http://en.wikipedia....sury_securities


 


Yeah, I figured this would be one of the reasons why. Basically gives them a "free" pass so to speak.


----------



## Damian (Jul 9, 2013)

The next version of our sshcheck script will have the ability to add IPs to a central mysql database, so that they can be disseminated to other nodes without waiting for them to get hit too.

Here's today's list against our OVZ clients, thus far:

50.201.110.114 - 11
101.64.176.219 - 11
93.141.104.29 - 16
58.9.5.67 - 13
80.80.119.34 - 20
109.67.1.145 - 21
202.28.119.25 - 11
85.52.53.217 - 12
94.50.86.24 - 11
189.31.42.96 - 11
108.213.71.108 - 13
216.205.110.128 - 16
31.180.200.13 - 19
93.136.39.119 - 12
121.18.105.229 - 84

The number after the IP is today's # of attempts.


----------



## Aldryic C'boas (Jul 9, 2013)

> Here's today's list against our OVZ clients, thus far:


Err... you're monitoring your clients' incoming traffic? O_ô


----------



## maounique (Jul 9, 2013)

I am blocking /16s from china every day on our forums. Almost all spam comes from there, however, this is probably because they run unpatched windows and there are so many of them turned into zombies.


----------



## Mun (Jul 9, 2013)

I always thought it would be fun to see if I could make a file like mysql.zip.backup.exe and see if they would download it and run it on an "open ssh honey pot" and inside the .exe. would be a massive virus just for them. 

RAMP YOUR HARD DRIVES TO OVER 9000 TIMES THE LIMITER! Muhahahaha!

A suggestion for all users: change your SSH port and install fail2ban.

For debian / ubuntu and other .deb based systems apt-get install fail2ban and nano /etc/ssh/sshd_config and edit the 'port' line to something other then 22.

Mun


----------



## jarland (Jul 9, 2013)

Aldryic C said:


> Err... you're monitoring your clients' incoming traffic? O_ô


Just watches for IPs that try to hit port 22 on a bunch of IPs on the node at once. One less person hit from a dumb password, one less ticket/termination/angry review


----------



## Aldryic C'boas (Jul 9, 2013)

jarland said:


> Just watches for IPs that try to hit port 22 on a bunch of IPs on the node at once. One less person hit from a dumb password, one less ticket/termination/angry review


Let's hope so.  The implications of monitoring customer traffic is... not very good, to say the least.  But even then.. unless you only have a handful of nodes to watch that's some very time-intensive monitoring >_>


----------



## KuJoe (Jul 9, 2013)

I found that our honeypot solution (got the idea from @Francisco, THANKS!) was a lot more accurate and the number of clients blocked by it were 0 whereas the sshcheck script we use now blocks clients who open to many SSH tabs/windows and has resulted in a couple of tickets so far. The reason we started using the sshcheck script was for consistency since not all of our locations have our own network hardware so instead of maintaining different build scripts for different locations we saved ourselves some IPs and went with sshcheck.


----------



## peterw (Jul 10, 2013)

Damian said:


> The next version of our sshcheck script will have the ability to add IPs to a central mysql database, so that they can be disseminated to other nodes without waiting for them to get hit too.


You monitor the traffic of your clients? Is this part of your TOS? No!


Excessive Utilization of Resources:
IPXcore allows and encourages utilization up to 100% of the allotted resources that Subscriber has subscribed to. 
IPXcore monitors and curtails resource usage that is outside the allotted resources. 
IPXcore, at it’s discretion, will take action against Subscribers using excessive resources, 
including, but not limited to, billing for resources used, account suspension, account termination.

Do you read emails of your clients too to identify spammers?


----------



## KuJoe (Jul 10, 2013)

@peterw, I really hope you are joking and if you are not I really hope that english is not your primary language and are just misunderstanding this thread.

DOS attacks are not subject to privacy policies and an automated script that handles DOS attacks is not considered as "monitoring client traffic". His script does not record anything except for the attacker's IP and what IPs he was attacking. There is no packet information just how many times it connected to X, Y, and Z IPs.

If this is not enough information for you to comprehend what is being discussed then by your definition a switch and router are a violation of his TOS and should be removed from his network.


----------



## stim (Jul 10, 2013)

I use Denyhosts with very strict rules and it seems to perform very well. I find that some VPS providers are much more prone to SSH attacks than others. With one (fairly respectable) host was bombarded with root login attempts, mostly from China. With my current provider I have seen not one banned ip in 8 months. 

I am not sure why this is. Do some providers have an extra layer of protection? How does that work?

Curious...


----------



## KuJoe (Jul 10, 2013)

stim said:


> I use Denyhosts with very strict rules and it seems to perform very well. I find that some VPS providers are much more prone to SSH attacks than others. With one (fairly respectable) host was bombarded with root login attempts, mostly from China. With my current provider I have seen not one banned ip in 8 months.
> 
> I am not sure why this is. Do some providers have an extra layer of protection? How does that work?
> 
> Curious...


Some providers, like IPXCore and myself, use scripts that block SSH attacks at the node level and catch them before they hit your VPS.


----------



## Damian (Jul 10, 2013)

peterw said:


> You monitor the traffic of your clients?


We don't.


----------



## concerto49 (Jul 10, 2013)

WebSearchingPro said:


> I recently got around to setting up "Logwatch" on a few of my servers, and I found it interesting to see how many times a day our servers get attempted SSH authentication. The usernames seem to be quite random, though the IP addresses used are 90% of the time from China. This got me thinking...
> 
> Why is it just the Chinese? - Is it easier for them to do, as in less laws regarding this, or the fact that its harder to take action against them..
> 
> ...


Usually language, especially English is not as widely taught in China. It's hard for them to run scam campaigns such as those Nigerian ones, so...


----------



## Damian (Jul 10, 2013)

Can't figure out how to quote multiple people in the same post....



KuJoe said:


> Some providers, like IPXCore and myself, use scripts that block SSH attacks at the node level and catch them before they hit your VPS.


annnnnd the reason that we (and others) do this is to prevent customer issues by having their VPS container compromised and then being used for malicious things or having all of the VM data deleted or whatever. This method, combined with not allowing customers to specify their initial root password themselves, has reduced the occurrence of compromised VM containers by 97% over the past year. It still happens (and it's going to happen), but it's months apart, instead of weekly.

I know there's a strong sentiment of "OMFG ALL PROVIDERS ARE EVIL, LET'S LYNCH THEM!" otherwise; I really don't have time to participate in such things.


----------



## peterw (Jul 10, 2013)

Damian said:


> annnnnd the reason that we (and others) do this is to prevent customer issues by having their VPS container compromised and then being used for malicious things or having all of the VM data deleted or whatever.


Sorry for the misunderstanding. Watching tcp ip connections to filter out brute force attackes is ok. And it is easier to run this on the node too.


----------



## Damian (Jul 10, 2013)

The code was freely available at https://github.com/damianharouff/sshcheck but github continues to be an obtuse bastard whenever I try to use it, so I may have deleted it. Or it was never there. Or something. I'm sure git gave me some horrible cryptic message that makes sense to 3 people on the planet.

The code may still be available on the other popular VPS forum, but I find their new layout too aggravating to interact with. It pretty much amounts to running netstat on the host node, and then counting how many connections any given external IP makes to any given VM container IP on port 22. 

Anyway, soon-ish version 2.0 should be available, and it'll be open-source also, so everyone can read the code. 

We've had a few legitimate clients get blocked, but this usually results because the client is either trying to do operations in parallel on their VMs, a monitoring not closing SSH connections when it's finished doing whatever it does, or the client is running an SSH scanner themselves. This tends to happen about once every couple of months.


----------



## KuJoe (Jul 10, 2013)

*@Damian*, my suggestion would be to add a whitelist. We have a handful of clients that have multiple VPSs with us and run scripts like MTPuTTY so the script will see them with XX connections while they really only have 2 or 3 connections per VPS.

Also, I don't know if SFTP is handled the same as FTP but some of our shared hosting clients get blocked by CSF because their FTP application likes to create 300 connections at a time for some reason (I notice it a lot more often with a specific ISP so it might not be the FTP client). I can see how SFTP will cause a client to get dinged if this happened.


----------



## Damian (Jul 10, 2013)

KuJoe said:


> @Damian, my suggestion would be to add a whitelist.


 

Yep, that's a feature we were wanting too, both a by-client-IP whitelist and entire-VM-container whitelist.


----------



## WebSearchingPro (Jul 10, 2013)

Mun said:


> I always thought it would be fun to see if I could make a file like mysql.zip.backup.exe and see if they would download it and run it on an "open ssh honey pot" and inside the .exe. would be a massive virus just for them.


I would find this interesting too... Then have it "phone home" to report info on the attacker.



stim said:


> I find that some VPS providers are much more prone to SSH attacks than others


For some reason being with Colocrossing makes me feel like I get quite a few more SSH attacks than usual. Not sure if thats the case, I figure they would have a rather filled IP space.


----------



## deluxehost (Jul 10, 2013)

I would setup a iptables script with a --hitcount, that way if they reach the hitcount it will drop them until they stop. uses next to nothing on resources, nor is it hard to get setup. i run that on numerous servers of mine and havn't had a single person successfully gain access to my servers. but you can also use a different port, or setup fail2ban, denyhosts or if your an advanced user. setup port knocking and leave 22 open.


----------



## mikho (Jul 11, 2013)

Damian said:


> We've had a few legitimate clients get blocked, but this usually results because the client is either trying to do operations in parallel on their VMs, a monitoring not closing SSH connections when it's finished doing whatever it does, or the client is running an SSH scanner themselves. This tends to happen about once every couple of months.


Me,me,me! And damn proud of it. 


Not sure what I did but my home connection was once blocked by this.


----------



## terafire (Jul 12, 2013)

It's bound to happen. Almost everyday I get attempted logins.


----------

