SSH Attacks

[peterw]

The next version of our sshcheck script will have the ability to add IPs to a central mysql database, so that they can be disseminated to other nodes without waiting for them to get hit too.

You monitor the traffic of your clients? Is this part of your TOS? No!


Excessive Utilization of Resources:
IPXcore allows and encourages utilization up to 100% of the allotted resources that Subscriber has subscribed to.
IPXcore monitors and curtails resource usage that is outside the allotted resources.
IPXcore, at it’s discretion, will take action against Subscribers using excessive resources,
including, but not limited to, billing for resources used, account suspension, account termination.

Do you read emails of your clients too to identify spammers?

 

[KuJoe]

@peterw, I really hope you are joking and if you are not I really hope that english is not your primary language and are just misunderstanding this thread.

DOS attacks are not subject to privacy policies and an automated script that handles DOS attacks is not considered as "monitoring client traffic". His script does not record anything except for the attacker's IP and what IPs he was attacking. There is no packet information just how many times it connected to X, Y, and Z IPs.

If this is not enough information for you to comprehend what is being discussed then by your definition a switch and router are a violation of his TOS and should be removed from his network.

 

[stim]

I use Denyhosts with very strict rules and it seems to perform very well. I find that some VPS providers are much more prone to SSH attacks than others. With one (fairly respectable) host was bombarded with root login attempts, mostly from China. With my current provider I have seen not one banned ip in 8 months. 

I am not sure why this is. Do some providers have an extra layer of protection? How does that work?

Curious...

 

[KuJoe]

I use Denyhosts with very strict rules and it seems to perform very well. I find that some VPS providers are much more prone to SSH attacks than others. With one (fairly respectable) host was bombarded with root login attempts, mostly from China. With my current provider I have seen not one banned ip in 8 months. 

I am not sure why this is. Do some providers have an extra layer of protection? How does that work?

Curious...

Some providers, like IPXCore and myself, use scripts that block SSH attacks at the node level and catch them before they hit your VPS.

 

[Damian]

You monitor the traffic of your clients?

We don't.

 

[concerto49]

I recently got around to setting up "Logwatch" on a few of my servers, and I found it interesting to see how many times a day our servers get attempted SSH authentication. The usernames seem to be quite random, though the IP addresses used are 90% of the time from China. This got me thinking...

Why is it just the Chinese? - Is it easier for them to do, as in less laws regarding this, or the fact that its harder to take action against them..

What do they do when they are successful? - Is it added to a botnet that further attacks other servers, or does it sit idle waiting for a seemingly "homegrown DDoS".

Has anyone attempted to leave a computer open as a "Honeypot" to see what activities they engage in?

Usually language, especially English is not as widely taught in China. It's hard for them to run scam campaigns such as those Nigerian ones, so...

 

[Damian]

Can't figure out how to quote multiple people in the same post....

Some providers, like IPXCore and myself, use scripts that block SSH attacks at the node level and catch them before they hit your VPS.

annnnnd the reason that we (and others) do this is to prevent customer issues by having their VPS container compromised and then being used for malicious things or having all of the VM data deleted or whatever. This method, combined with not allowing customers to specify their initial root password themselves, has reduced the occurrence of compromised VM containers by 97% over the past year. It still happens (and it's going to happen), but it's months apart, instead of weekly.

I know there's a strong sentiment of "OMFG ALL PROVIDERS ARE EVIL, LET'S LYNCH THEM!" otherwise; I really don't have time to participate in such things.

 

[peterw]

annnnnd the reason that we (and others) do this is to prevent customer issues by having their VPS container compromised and then being used for malicious things or having all of the VM data deleted or whatever.

Sorry for the misunderstanding. Watching tcp ip connections to filter out brute force attackes is ok. And it is easier to run this on the node too.

 

[Damian]

The code was freely available at https://github.com/damianharouff/sshcheck but github continues to be an obtuse bastard whenever I try to use it, so I may have deleted it. Or it was never there. Or something. I'm sure git gave me some horrible cryptic message that makes sense to 3 people on the planet.

The code may still be available on the other popular VPS forum, but I find their new layout too aggravating to interact with. It pretty much amounts to running netstat on the host node, and then counting how many connections any given external IP makes to any given VM container IP on port 22. 

Anyway, soon-ish version 2.0 should be available, and it'll be open-source also, so everyone can read the code. 

We've had a few legitimate clients get blocked, but this usually results because the client is either trying to do operations in parallel on their VMs, a monitoring not closing SSH connections when it's finished doing whatever it does, or the client is running an SSH scanner themselves. This tends to happen about once every couple of months.

 

[KuJoe]

@Damian, my suggestion would be to add a whitelist. We have a handful of clients that have multiple VPSs with us and run scripts like MTPuTTY so the script will see them with XX connections while they really only have 2 or 3 connections per VPS.

Also, I don't know if SFTP is handled the same as FTP but some of our shared hosting clients get blocked by CSF because their FTP application likes to create 300 connections at a time for some reason (I notice it a lot more often with a specific ISP so it might not be the FTP client). I can see how SFTP will cause a client to get dinged if this happened.

 

[Damian]

@Damian, my suggestion would be to add a whitelist.

 

Yep, that's a feature we were wanting too, both a by-client-IP whitelist and entire-VM-container whitelist. 

 

[WebSearchingPro]

I always thought it would be fun to see if I could make a file like mysql.zip.backup.exe and see if they would download it and run it on an "open ssh honey pot" and inside the .exe. would be a massive virus just for them.

I would find this interesting too... Then have it "phone home" to report info on the attacker.

I find that some VPS providers are much more prone to SSH attacks than others

For some reason being with Colocrossing makes me feel like I get quite a few more SSH attacks than usual. Not sure if thats the case, I figure they would have a rather filled IP space.

 

[deluxehost]

I would setup a iptables script with a --hitcount, that way if they reach the hitcount it will drop them until they stop. uses next to nothing on resources, nor is it hard to get setup. i run that on numerous servers of mine and havn't had a single person successfully gain access to my servers. but you can also use a different port, or setup fail2ban, denyhosts or if your an advanced user. setup port knocking and leave 22 open.

 

[mikho]

We've had a few legitimate clients get blocked, but this usually results because the client is either trying to do operations in parallel on their VMs, a monitoring not closing SSH connections when it's finished doing whatever it does, or the client is running an SSH scanner themselves. This tends to happen about once every couple of months.

Me,me,me! And damn proud of it.


Not sure what I did but my home connection was once blocked by this.

 

[terafire]

It's bound to happen. Almost everyday I get attempted logins.