[ISN] Brute-Force SSH Server Attacks Surge

From: InfoSec News (alerts@private)
Date: Tue May 13 2008 - 23:07:32 PDT


By Thomas Claburn
May 13, 2008

The number of brute-force SSH attacks is rising, the SANS Internet Storm 
Center warned on Monday.

"[T]here has been a significant amount of brute force scanning reported 
by some of our readers and on other mailing lists," said Internet Storm 
Center handler Scott Fendley in a blog post. "... From the most recent 
reports I have seen, the attackers have been using either 'low and slow' 
style attacks to avoid locking out accounts and/or being detected by 
IDS/IPS systems. Some attackers seem to be using botnets to do a 
distributed style attack which also is not likely to exceed thresholds 
common on the network."

Data gathered by DenyHosts.org, a site that tracks SSH hacking attempts, 
appears to confirm Fendley's claim. A graph of the site's data shows SSH 
hacking attempts rising sharply over the past weekend.

SSH stands for secure shell. It is a network protocol for creating a 
secure communications channel between two computers using public key 

A brute-force SSH attack, a kind of dictionary attack, is simply a 
repeating, typically automated, attempt to guess SSH client user names 
and/or passwords. If such an attack succeeds, the attacker may be able 
to view, copy, or delete important files on the accessed server or 
execute malicious code.

The SANS Institute last year said that brute-force password-guessing 
attacks against SSH, FTP and Telnet servers were "the most common form 
of attack to compromise servers facing the Internet."

A paper published earlier this year by Jim Owens and Jeanna Matthews of 
Clarkson University, "A Study of Passwords and Methods Used in 
Brute-Force SSH Attacks," found, based on an analysis of network 
traffic, that even "strong" passwords may not be enough to foil 
password-guessing attacks. ("Strong" passwords are typically a 
combination of letters and numbers, both upper and lower case, that 
don't form recognizable words.)

The paper focuses on the vulnerability of Linux systems to brute-force 
SSH attacks. "While it is true that computers running Linux are not 
subject to the many worms, viruses, and other malware that target 
Windows platforms, the Linux platform is known to be vulnerable to other 
forms of exploitation," the paper states. "A 2004 study conducted by the 
London-based security analysis and consulting firm mi2g found that Linux 
systems accounted for 65% of 'digital breaches' recorded during the 
twelve-month period ending in October 2004."

The paper points to remarks by Dave Cullinane, CISO at eBay (NSDQ: EBAY) 
and Alfred Huger, VP at Symantec (NSDQ: SYMC) Security Response, to the 
effect that Linux machines make up a large portion of the command and 
control networks of botnets.

It also notes that "Linux systems face a unique threat of compromise 
from brute-force attacks against SSH servers that may be running without 
the knowledge of system owners/operators. Many Linux distributions 
install the SSH service by default, some without the benefit of an 
effective firewall."

Thus, all it takes to compromise such systems is to guess the password, 
and attackers have machines trying to do just that at all hours of the 
day. To make matters worse, attackers are sharing dictionaries of 
username/password pairs that include a significant number of "strong" 

Fendley recommends that IT administrators consider defenses advocated by 
Owens and Matthews in their paper. These include: using host-based 
security tools to block access to servers; disabling direct access to 
root accounts; avoiding easily guessed usernames, such as a person's 
first or last name; enforcing the use of strong passwords, public key 
authentication, or multi-factor authentication, depending the security 
posture of the organization in question; and limiting publicly 
accessible network services through iptables or other host-based 
security measures.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Tue May 13 2008 - 23:16:13 PDT