SSH Attacks

WebSearchingPro

VPS Peddler
Verified Provider
I recently got around to setting up "Logwatch" on a few of my servers, and I found it interesting to see how many times a day our servers get attempted SSH authentication. The usernames seem to be quite random, though the IP addresses used are 90% of the time from China. This got me thinking...

Why is it just the Chinese? - Is it easier for them to do, as in less laws regarding this, or the fact that its harder to take action against them..

What do they do when they are successful? - Is it added to a botnet that further attacks other servers, or does it sit idle waiting for a seemingly "homegrown DDoS".

Has anyone attempted to leave a computer open as a "Honeypot" to see what activities they engage in?
 

Reece-DM

New Member
Verified Provider
It's always been a issue - people running port 22 as default generally get screwed the most, brute force attacks etc.

Never left a honeypot - not a bad idea actually :)
 
Last edited by a moderator:

kro

New Member
Verified Provider
Setup a honeypot as mentioned, its quite interesting. Most get turned into mail servers used for massive amounts of spam ^_^
 

WebSearchingPro

VPS Peddler
Verified Provider
Maybe a Damn-Vulnerable-Linux installation on the open net ;) with something that checks the filesystem for changes then reports them occasionally.

Most get turned into mail servers used for massive amounts of spam
Ahh yes, Ill have to start checking the headers on my spam emails to see what kind of stuff is there! Thanks for that.
 

jarland

The ocean is digital
"Hacking" is a sensitive word between the US and China. There's a lot of blame on both sides of the table. I believe a popular theory is that a lot of these scans from China are government sponsored to gain any intelligence or innovations that they can, from US government/business. The US government is accused of doing the same. Of course, who can prove the motive behind any of it?

While there is more than enough malicious traffic to go around, from all over the world, there are absolutely consistent patterns from China that are difficult to ignore or pass off as mere coincidence. Personally, I've never been able to get an abuse report through to China Telecom.

Fortunately their methods are weak and they mostly only hunt for an easy find. As consistent, persistent, and clearly orchestrated as they may be, I find them laughable at best.

Now every time I post this some jackass pops up and says "Don't talk bad about the Chinese they're my best customers!" To that person, beforehand, I'm not talking about your clients so use the offers forum for your marketing ;)
 

Aldryic C'boas

The Pony
Personally, I've never been able to get an abuse report through to China Telecom.
I was able to get one through, about a year ago. Shortly after, damn near all of our ranges were GFW'd for a good couple weeks. -_-
 

WebSearchingPro

VPS Peddler
Verified Provider
So its sort of "Taboo"? Is that one of the reasons it has yet to be addressed by either country?

Just perplexes me that the U.S. Government is so stern on internal threats and other countries attacking us. Though this massive scale "doorknob rattling" doesn't seem to be brought up very often. Though it would make sense if it were a 2 way thing, that's why neither side would acknowledge whats going on. But at that point its getting into conspiracy type stuff ;)
 

KuJoe

Well-Known Member
Verified Provider
I had a nice honey pot that interfaced with our routers and it worked amazingly. We switched to @Damian's script though and it works nicely but requires some monitoring and housekeeping every so often.
 

jarland

The ocean is digital
I had a nice honey pot that interfaced with our routers and it worked amazingly. We switched to @Damian's script though and it works nicely but requires some monitoring and housekeeping every so often.
Ssh check? Yeah I love that thing. Not a false positive yet. I modified it to write to a new chain and I just flush the chain every day. If a single ip pisses me off enough I just black hole it.
 

wlanboy

Content Contributer
Honeypotting is a really nice hobby.

I usually create a VM on my old laptop and create a portforwarding (port 22) from one of my vps to the VM.

Modifying bash to record shell history and forward all input to syslogd. Add AIDE to verify the integrity of files, sit down and watch what's happening.

If they do too much just stop the portforwarding.

Better than using kippo or other ssh shell emulators. But never catched anyone but script kiddies.
 

Damian

New Member
Verified Provider
The next version of our sshcheck script will have the ability to add IPs to a central mysql database, so that they can be disseminated to other nodes without waiting for them to get hit too.

Here's today's list against our OVZ clients, thus far:

50.201.110.114 - 11
101.64.176.219 - 11
93.141.104.29 - 16
58.9.5.67 - 13
80.80.119.34 - 20
109.67.1.145 - 21
202.28.119.25 - 11
85.52.53.217 - 12
94.50.86.24 - 11
189.31.42.96 - 11
108.213.71.108 - 13
216.205.110.128 - 16
31.180.200.13 - 19
93.136.39.119 - 12
121.18.105.229 - 84

The number after the IP is today's # of attempts.
 
Last edited by a moderator:

maounique

Active Member
I am blocking /16s from china every day on our forums. Almost all spam comes from there, however, this is probably because they run unpatched windows and there are so many of them turned into zombies.
 

Mun

Never Forget
I always thought it would be fun to see if I could make a file like mysql.zip.backup.exe and see if they would download it and run it on an "open ssh honey pot" and inside the .exe. would be a massive virus just for them. :)

RAMP YOUR HARD DRIVES TO OVER 9000 TIMES THE LIMITER! Muhahahaha!

A suggestion for all users: change your SSH port and install fail2ban.

For debian / ubuntu and other .deb based systems apt-get install fail2ban and nano /etc/ssh/sshd_config and edit the 'port' line to something other then 22.

Mun
 

jarland

The ocean is digital
Err... you're monitoring your clients' incoming traffic? O_ô
Just watches for IPs that try to hit port 22 on a bunch of IPs on the node at once. One less person hit from a dumb password, one less ticket/termination/angry review ;)
 

Aldryic C'boas

The Pony
Just watches for IPs that try to hit port 22 on a bunch of IPs on the node at once. One less person hit from a dumb password, one less ticket/termination/angry review
Let's hope so.  The implications of monitoring customer traffic is... not very good, to say the least.  But even then.. unless you only have a handful of nodes to watch that's some very time-intensive monitoring >_> 
 

KuJoe

Well-Known Member
Verified Provider
I found that our honeypot solution (got the idea from @Francisco, THANKS!) was a lot more accurate and the number of clients blocked by it were 0 whereas the sshcheck script we use now blocks clients who open to many SSH tabs/windows and has resulted in a couple of tickets so far. The reason we started using the sshcheck script was for consistency since not all of our locations have our own network hardware so instead of maintaining different build scripts for different locations we saved ourselves some IPs and went with sshcheck.
 
Top