Joshua Bassett wrote:
Hi Sluggers,
I was going through my auth.log file the other day and noticed that someone (possibly several machines) are trying to login to my box using a variety of "canned" usernames. Looks like they're trying to bruteforce their way in...they try maybe 20 usernames per day.
Has anyone else experienced this?
Also, are they likely to try more cunning techniques (ie. exploits) if this yeilds no results for them? Is there a way I can find the person behind this?
Any help would be greatly appreciated.
One of the protection methods from these attacks is to 'hide' your Login Server(LS).
You may 'hide' your (LS) by using Firewall. Hiding LS is one of the functions of Firewall.
In addition or by itself, you may use 'Authentication and Authorization Systems' that's client-server where the client (the attacker) has to be a member of the REALM that you are belonging to, in your Local Area Network (LAN).
The attacker has to determine your REALM first of all inorder to start to launch an attack. After that he has to acquire a specific Authenticatiion System which do not come installed by default on MSWindows, MacOS, or Linux. These alone will prevent many canned software from successfully penetrating your system.
The more pre-requisites there are for launching an attack is so much better for your security.
With this in my design, I am using Kerberos5 for my Authentication and Authorization Systems at home (http://web/mit.edu/kerberos/www).
One important feature of this System to prevent the attacks you illustrated from being successful, is its ability to implement 'policy' authentication whereby users are force to use 'strong' username/password combinations.
It implements Secure-ID Authentication or what people call 'strong authentication'.
What this means is that the password does not travel across 'the wire'
from client-to-server and vice-versa; the password is only used within
the server and/or within the client computers and is encrypted. The
passwords, even when already encrypted, are not exchanged between
client and server computers.
Conversations between the server and client computers have security and privacy as these are encrypted using strong encryption standards.
Kerberos5 uses triple-DES as default encryption whilst Kerberos4 uses DES.
Authentication is symmetric. This means the server authenticates the client and the client authenticates the server.
Authentication is implemented by requesting and acquiring Keys. The
Key Distribution Center, which supplies Keys after an authenticated request,
is centralised making management simple and efficient. Just to illustrate,
even if this does not apply to you. Imagine if you have 10 or 100 servers.
Many organisations these days have thousands of servers each.
A sysadmin person left the company suddenly under questionable circumstances. He has Admin permissions to several servers, say 500 servers. With Kerberos the procedure calls for a simple procedure of changing the authentication of Admin once and it will be implemented across all of your servers, automatically. Another way I look at this is it helps enforce standards of authentication within the Company.
There are other features that can be implemented depending on your requirements.
A snippet:
mybox:~# grep Illegal /var/log/auth.log Apr 10 07:35:01 localhost sshd[9868]: Illegal user test from ::ffff:67.112.29.138 Apr 10 07:35:04 localhost sshd[9870]: Illegal user guest from ::ffff:67.112.29.138 Apr 10 07:35:06 localhost sshd[9872]: Illegal user admin from ::ffff:67.112.29.138 Apr 10 07:35:09 localhost sshd[9874]: Illegal user admin from ::ffff:67.112.29.138 Apr 10 07:35:12 localhost sshd[9876]: Illegal user user from ::ffff:67.112.29.138 Apr 10 07:35:22 localhost sshd[9884]: Illegal user test from ::ffff:67.112.29.138 Apr 10 10:33:57 localhost sshd[9918]: Illegal user patrick from ::ffff:203.145.172.175 Apr 10 10:33:58 localhost sshd[9920]: Illegal user patrick from ::ffff:203.145.172.175 Apr 10 10:34:09 localhost sshd[9932]: Illegal user rolo from ::ffff:203.145.172.175 Apr 10 10:34:10 localhost sshd[9934]: Illegal user iceuser from ::ffff:203.145.172.175 Apr 10 10:34:12 localhost sshd[9936]: Illegal user horde from ::ffff:203.145.172.175 Apr 10 10:34:14 localhost sshd[9938]: Illegal user cyrus from ::ffff:203.145.172.175 Apr 10 10:34:16 localhost sshd[9940]: Illegal user www from ::ffff:203.145.172.175 Apr 10 10:34:17 localhost sshd[9942]: Illegal user wwwrun from ::ffff:203.145.172.175 Apr 10 10:34:19 localhost sshd[9944]: Illegal user matt from ::ffff:203.145.172.175 Apr 10 10:34:21 localhost sshd[9946]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:22 localhost sshd[9948]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:24 localhost sshd[9950]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:26 localhost sshd[9952]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:31 localhost sshd[9958]: Illegal user operator from ::ffff:203.145.172.175 Apr 10 10:34:33 localhost sshd[9960]: Illegal user adm from ::ffff:203.145.172.175 Apr 10 10:34:34 localhost sshd[9962]: Illegal user apache from ::ffff:203.145.172.175 Apr 10 10:34:40 localhost sshd[9968]: Illegal user adm from ::ffff:203.145.172.175 Apr 10 10:34:46 localhost sshd[9976]: Illegal user jane from ::ffff:203.145.172.175 Apr 10 10:34:48 localhost sshd[9978]: Illegal user pamela from ::ffff:203.145.172.175 Apr 10 10:34:58 localhost sshd[9990]: Illegal user cosmin from ::ffff:203.145.172.175 Apr 10 10:36:02 localhost sshd[10064]: Illegal user cip52 from ::ffff:203.145.172.175 Apr 10 10:36:04 localhost sshd[10066]: Illegal user cip51 from ::ffff:203.145.172.175 Apr 10 10:36:07 localhost sshd[10070]: Illegal user noc from ::ffff:203.145.172.175 Apr 10 10:36:16 localhost sshd[10080]: Illegal user webmaster from ::ffff:203.145.172.175 Apr 10 10:36:17 localhost sshd[10082]: Illegal user data from ::ffff:203.145.172.175 Apr 10 10:36:19 localhost sshd[10084]: Illegal user user from ::ffff:203.145.172.175 Apr 10 10:36:21 localhost sshd[10086]: Illegal user user from ::ffff:203.145.172.175 Apr 10 10:36:23 localhost sshd[10088]: Illegal user user from ::ffff:203.145.172.175 Apr 10 10:36:24 localhost sshd[10090]: Illegal user web from ::ffff:203.145.172.175 Apr 10 10:36:26 localhost sshd[10092]: Illegal user web from ::ffff:203.145.172.175 Apr 10 10:36:28 localhost sshd[10094]: Illegal user oracle from ::ffff:203.145.172.175 Apr 10 10:36:30 localhost sshd[10096]: Illegal user sybase from ::ffff:203.145.172.175 Apr 10 10:36:31 localhost sshd[10098]: Illegal user master from ::ffff:203.145.172.175 Apr 10 10:36:33 localhost sshd[10100]: Illegal user account from ::ffff:203.145.172.175 Apr 10 10:36:36 localhost sshd[10104]: Illegal user server from ::ffff:203.145.172.175 Apr 10 10:36:38 localhost sshd[10106]: Illegal user adam from ::ffff:203.145.172.175 Apr 10 10:36:40 localhost sshd[10108]: Illegal user alan from ::ffff:203.145.172.175 Apr 10 10:36:42 localhost sshd[10110]: Illegal user frank from ::ffff:203.145.172.175 Apr 10 10:36:43 localhost sshd[10112]: Illegal user george from ::ffff:203.145.172.175 Apr 10 10:36:45 localhost sshd[10114]: Illegal user henry from ::ffff:203.145.172.175 Apr 10 10:36:47 localhost sshd[10116]: Illegal user john from ::ffff:203.145.172.175 Apr 10 10:36:57 localhost sshd[10128]: Illegal user test from ::ffff:203.145.172.175
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
