Re: [gentoo-user] Usernames in ssh attacks

[Eric Martin]

Paul Hartman wrote:
 On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
 johan.bluecr...@gmail.com wrote:
 I've always had usernames when it comes to sshd's log entries in
 auth.log, like the following:

 time hostname sshd[5926]: error: PAM: Authentication failure for
 username from ip-adress
 
 Well, I don't use PAM, just key-based authentication only, so I always
 see only the IP getting rejected since it doesn't even give them a
 place to try a user/password :) It's just weird that it is refusing a
 connection from u...@domain rather than simply the IP. I guess they
 could be trying to ssh u...@myhost.net or something.  The one with
 [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
 interesting. I wonder what that's all about.
 

I too use only PubKey but they need to send a username so ssh knows
where to look for the public key.  Your two options boil down to

1) install fail2ban (I installed it on all of my external ssh boxes and
I love it)
2) change the ssh port to something other than 22 (Security by Obscurity
 but it frees up your logs so you can see real problems).

The two may me mutually exclusive as I'm not sure if you can tweak
fail2ban's ssh rules to monitor another port.

I just chock it up as log spam unless I see definite bad patterns.  But
again, with public key access only and banning root from logging in via
ssh I don't think anybody is getting far unless there is a flaw in ssh.

-- 
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA  B215 6A25 7174 A941 3B9F



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] Usernames in ssh attacks

[Paul Hartman]

On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin freak4u...@gmail.com wrote:
 Paul Hartman wrote:
 On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
 johan.bluecr...@gmail.com wrote:
 I've always had usernames when it comes to sshd's log entries in
 auth.log, like the following:

 time hostname sshd[5926]: error: PAM: Authentication failure for
 username from ip-adress

 Well, I don't use PAM, just key-based authentication only, so I always
 see only the IP getting rejected since it doesn't even give them a
 place to try a user/password :) It's just weird that it is refusing a
 connection from u...@domain rather than simply the IP. I guess they
 could be trying to ssh u...@myhost.net or something.  The one with
 [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
 interesting. I wonder what that's all about.


 I too use only PubKey but they need to send a username so ssh knows
 where to look for the public key.  Your two options boil down to

 1) install fail2ban (I installed it on all of my external ssh boxes and
 I love it)
 2) change the ssh port to something other than 22 (Security by Obscurity
  but it frees up your logs so you can see real problems).

 The two may me mutually exclusive as I'm not sure if you can tweak
 fail2ban's ssh rules to monitor another port.

 I just chock it up as log spam unless I see definite bad patterns.  But
 again, with public key access only and banning root from logging in via
 ssh I don't think anybody is getting far unless there is a flaw in ssh.

Oh, I am not concerned about the attacks. I just thought it was weird
that I saw u...@domain when I normally see only IP or only domain.
They are already refused connection as the log shows :)

Thanks,
Paul

Re: [gentoo-user] Usernames in ssh attacks

[Eric Martin]

Paul Hartman wrote:
 On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin freak4u...@gmail.com wrote:
 Paul Hartman wrote:
 On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
 johan.bluecr...@gmail.com wrote:
 I've always had usernames when it comes to sshd's log entries in
 auth.log, like the following:

 time hostname sshd[5926]: error: PAM: Authentication failure for
 username from ip-adress
 Well, I don't use PAM, just key-based authentication only, so I always
 see only the IP getting rejected since it doesn't even give them a
 place to try a user/password :) It's just weird that it is refusing a
 connection from u...@domain rather than simply the IP. I guess they
 could be trying to ssh u...@myhost.net or something.  The one with
 [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
 interesting. I wonder what that's all about.

 I too use only PubKey but they need to send a username so ssh knows
 where to look for the public key.  Your two options boil down to

 1) install fail2ban (I installed it on all of my external ssh boxes and
 I love it)
 2) change the ssh port to something other than 22 (Security by Obscurity
  but it frees up your logs so you can see real problems).

 The two may me mutually exclusive as I'm not sure if you can tweak
 fail2ban's ssh rules to monitor another port.

 I just chock it up as log spam unless I see definite bad patterns.  But
 again, with public key access only and banning root from logging in via
 ssh I don't think anybody is getting far unless there is a flaw in ssh.
 
 Oh, I am not concerned about the attacks. I just thought it was weird
 that I saw u...@domain when I normally see only IP or only domain.
 They are already refused connection as the log shows :)
 
 Thanks,
 Paul
 

yeah, after I read your message I realized that I didn't quite answer
your question.  Somebody mentioned they probably configured the dns PTR
record incorrectly which is my guess.

-- 
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA  B215 6A25 7174 A941 3B9F



signature.asc
Description: OpenPGP digital signature

[gentoo-user] Usernames in ssh attacks

[Paul Hartman]

In my ssh logs this morning I noticed a couple login attempts with
usenames on them... I've never seen that before. It is usually just an
IP address.

Mar 18 20:19:48 [sshd] refused connect from postmas...@dns.cablecentro.net.co
Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
Mar 18 23:44:44 [sshd] refused connect from
[u2fsdgvkx19g32yzvkmsqkl+mouwitiloicy4iq9oq...@211.116.136.107
Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66

weird... maybe the bad guys are up to something new.

Re: [gentoo-user] Usernames in ssh attacks

[Johan Blåbäck]

I've always had usernames when it comes to sshd's log entries in
auth.log, like the following:

time hostname sshd[5926]: error: PAM: Authentication failure for
username from ip-adress


On 3/19/09, Paul Hartman paul.hartman+gen...@gmail.com wrote:
 In my ssh logs this morning I noticed a couple login attempts with
 usenames on them... I've never seen that before. It is usually just an
 IP address.

 Mar 18 20:19:48 [sshd] refused connect from
 postmas...@dns.cablecentro.net.co
 Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
 Mar 18 23:44:44 [sshd] refused connect from
 [u2fsdgvkx19g32yzvkmsqkl+mouwitiloicy4iq9oq...@211.116.136.107
 Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66

 weird... maybe the bad guys are up to something new.




-- 

For security reasons, all text in this mail is double-rot13 encrypted.

Re: [gentoo-user] Usernames in ssh attacks

[Paul Hartman]

On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
johan.bluecr...@gmail.com wrote:
 I've always had usernames when it comes to sshd's log entries in
 auth.log, like the following:

 time hostname sshd[5926]: error: PAM: Authentication failure for
 username from ip-adress

Well, I don't use PAM, just key-based authentication only, so I always
see only the IP getting rejected since it doesn't even give them a
place to try a user/password :) It's just weird that it is refusing a
connection from u...@domain rather than simply the IP. I guess they
could be trying to ssh u...@myhost.net or something.  The one with
[U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
interesting. I wonder what that's all about.

Re: [gentoo-user] Usernames in ssh attacks

[Michael Higgins]

On Thu, 19 Mar 2009 10:43:13 -0500
Paul Hartman paul.hartman+gen...@gmail.com wrote:

 On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
 johan.bluecr...@gmail.com wrote:
  I've always had usernames when it comes to sshd's log entries in
  auth.log, like the following:
 
  time hostname sshd[5926]: error: PAM: Authentication failure for
  username from ip-adress
 
 Well, I don't use PAM, just key-based authentication only, so I always
 see only the IP getting rejected since it doesn't even give them a
 place to try a user/password :) It's just weird that it is refusing a
 connection from u...@domain rather than simply the IP. I guess they
 could be trying to ssh u...@myhost.net or something.  The one with
 [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
 interesting. I wonder what that's all about.
 

My $.02:

 perl -MMIME::Base64 -e 'print 
decode_base64(U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=)'
Salted__`�fT�,BI~���!2
   :'���9

I'm not expert, so Google led me to OpenSSL's command-line enc utility:

echo U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo= | openssl enc -d -base64 -a 
-idea
enter idea-cbc decryption password:

... or like that. Seems like an attempt to send user and password together. 

I suppose if you know what are possible user/pass combos on your system, and 
can suss the crypt type from the signature (I've no idea if possible), you can 
see if it's a real hack attempt.

It is interesting, I think... but I'm just guessing. ;-)

Cheers,

-- 
 |\  /||   |  ~ ~  
 | \/ ||---|  `|` ?
 ||ichael  |   |iggins\^ /
 michael.higgins[at]evolone[dot]org

RE: [gentoo-user] Usernames in ssh attacks

[Adam Carter]

 In my ssh logs this morning I noticed a couple login attempts with
 usenames on them... I've never seen that before. It is usually just an
 IP address.

 Mar 18 20:19:48 [sshd] refused connect from
 postmas...@dns.cablecentro.net.co
 Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
 Mar 18 23:44:44 [sshd] refused connect from
 [u2fsdgvkx19g32yzvkmsqkl+mouwitiloicy4iq9oq...@211.116.136.107
 Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66

 weird... maybe the bad guys are up to something new.

I'd say they've just made a mistake in their DNS config (or maybe used a 
wildcard record), and set the PTR record to be 
postmas...@dns.cablecentro.net.co instead of a hostname. I'm assuming the 
reason you usually see IP addresses is that there is no PTR record set for that 
IP

Are you running Fail2ban or similar?

Rgs,
Adam