http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=207603339
By Thomas Claburn
InformationWeek
May 13, 2008
The number of brute-force SSH attacks is rising, the SANS Internet Storm
Center warned on Monday.
"[T]here has been a significant amount of brute force scanning reported
by some of our readers and on other mailing lists," said Internet Storm
Center handler Scott Fendley in a blog post. "... From the most recent
reports I have seen, the attackers have been using either 'low and slow'
style attacks to avoid locking out accounts and/or being detected by
IDS/IPS systems. Some attackers seem to be using botnets to do a
distributed style attack which also is not likely to exceed thresholds
common on the network."
Data gathered by DenyHosts.org, a site that tracks SSH hacking attempts,
appears to confirm Fendley's claim. A graph of the site's data shows SSH
hacking attempts rising sharply over the past weekend.
SSH stands for secure shell. It is a network protocol for creating a
secure communications channel between two computers using public key
cryptography.
A brute-force SSH attack, a kind of dictionary attack, is simply a
repeating, typically automated, attempt to guess SSH client user names
and/or passwords. If such an attack succeeds, the attacker may be able
to view, copy, or delete important files on the accessed server or
execute malicious code.
The SANS Institute last year said that brute-force password-guessing
attacks against SSH, FTP and Telnet servers were "the most common form
of attack to compromise servers facing the Internet."
A paper published earlier this year by Jim Owens and Jeanna Matthews of
Clarkson University, "A Study of Passwords and Methods Used in
Brute-Force SSH Attacks," found, based on an analysis of network
traffic, that even "strong" passwords may not be enough to foil
password-guessing attacks. ("Strong" passwords are typically a
combination of letters and numbers, both upper and lower case, that
don't form recognizable words.)
The paper focuses on the vulnerability of Linux systems to brute-force
SSH attacks. "While it is true that computers running Linux are not
subject to the many worms, viruses, and other malware that target
Windows platforms, the Linux platform is known to be vulnerable to other
forms of exploitation," the paper states. "A 2004 study conducted by the
London-based security analysis and consulting firm mi2g found that Linux
systems accounted for 65% of 'digital breaches' recorded during the
twelve-month period ending in October 2004."
The paper points to remarks by Dave Cullinane, CISO at eBay (NSDQ: EBAY)
and Alfred Huger, VP at Symantec (NSDQ: SYMC) Security Response, to the
effect that Linux machines make up a large portion of the command and
control networks of botnets.
It also notes that "Linux systems face a unique threat of compromise
from brute-force attacks against SSH servers that may be running without
the knowledge of system owners/operators. Many Linux distributions
install the SSH service by default, some without the benefit of an
effective firewall."
Thus, all it takes to compromise such systems is to guess the password,
and attackers have machines trying to do just that at all hours of the
day. To make matters worse, attackers are sharing dictionaries of
username/password pairs that include a significant number of "strong"
passwords.
Fendley recommends that IT administrators consider defenses advocated by
Owens and Matthews in their paper. These include: using host-based
security tools to block access to servers; disabling direct access to
root accounts; avoiding easily guessed usernames, such as a person's
first or last name; enforcing the use of strong passwords, public key
authentication, or multi-factor authentication, depending the security
posture of the organization in question; and limiting publicly
accessible network services through iptables or other host-based
security measures.
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue May 13 2008 - 23:16:13 PDT