1 / 18

SSH probes – the price of Unix mainstreaming?

Kaido Kikkas Centre for Educational Technology Tallinn University Tallinn, Estonia kaido.kikkas@kakupesa.net ICWI 2005, Lisbon. SSH probes – the price of Unix mainstreaming?. This is no news.

lowri
Download Presentation

SSH probes – the price of Unix mainstreaming?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kaido Kikkas Centre for Educational Technology Tallinn University Tallinn, Estonia kaido.kikkas@kakupesa.net ICWI 2005, Lisbon SSH probes – the price of Unix mainstreaming?

  2. This is no news... • Microsoft Windows:Viruses and Worms = 17,500 (symantec.com)Spyware and Adware programs = 78,000 (www.pestpatrol.com)80% of PCs infected with spyware (webroot.com) • Last year (2004) alone:- 500 new Trojans (www.pestpatrol.com)- 500 new keyloggers (www.pestpatrol.com)- 1,287 new adware apps (www.pestpatrol.com)- 7,360 new viruses and worms (symantec.com)

  3. To make things worse... • More than often, the main problem is still located between the keyboard and the chair • Training of ordinary users is sadly neglected – the exploding (mis)use of PCs has led to the situation where the ignorance of one user can have significant impact on thousands of others (with a wide variety of Bad Things, e.g. botnets) • Some people just seem to never learn... • BUT MAYBE: let's give them more secure systems than MS Windows?

  4. Linux & Co • The Original Geek System • Good record in security • Perceived more difficult than Windows => relatively more knowledgeable user base • BUT - the gradual changes during the decade: • More business and marketing, less hacker attitude • Lots of ordinary users moving over, many of them bring along questionable security practices obtained on Windows (e.g. admin rights with no password) • Are the strong points going to last? • How to protect users from themselves...?

  5. SSH • A major protocol of Internet, has replaced Telnet • Also used in file transfer (sftp, scp) • Native to Unix-like systems, must be added to Windows => one of the few cases where most attack targets are not Windows systems • Many Unix-like systems, e.g. some Linux distributions, tend to install and run an SSH server by default => casual users may be perfectly unaware of the fact and related dangers (especially if the firewall is down by default)

  6. Sometimes, simple things work... • SSH probing – a real simple kind of attack • Similar to doortesting in a multi-apartment house • ... and like in that house, some doors are left open • All you need is a simple script which tries a selection of often-used user names complete with no or trivial password • Relies wholly on laziness or cluelessness – and is surprisingly often successful

  7. An excerpt from BruteSSH script • while(fgets(buff,sizeof(buff),fp)){c=strchr(buff,'\n');if(c!=NULL) *c='\0';if (!(fork())){//child where=0;checkauth("test","test",buff);checkauth("guest","guest",buff);checkauth("admin","admins",buff);checkauth("admin","admin",buff);checkauth("user","user",buff);checkauth("root","password",buff);checkauth("root","root",buff);checkauth("root","123456",buff);checkauth("test","123456",buff);checkauth("test","12345",buff);

  8. 31337 K1dd13 stuff • Mostly used by low-profile malefactors like script kiddies (mostly junior crackers with no real technical skill) • Despite this, the results can be of similar scale with much more sophisticated attacks (at least in cases of root compromises) • A well-known source of botnets or zombie networks used in major DDoS (Distributed Denial of Service) attacks on more important targets • Also other Bad Things may happen (e.g. sniffing)

  9. The kakupesa.net survey • SSH probes were surveyed on a small home-based server for one year (July 17, 2004 – July 17, 2005) • The server ran White Box Linux 3 at that time (nowadays it uses CentOS 4) • In addition to running home network, the server served some neighbours and carried all the teaching materials (for three universities) of the speaker - the load was light but not insignificant

  10. The attacks • During the year, the number of the attempts went from a couple a week up to several hundreds a day • Total for one year: 32 370 • Most sources were identifiable with traceroute, ping and other utilities – address counterfeiting (spoofing) was hardly used • At first, notices were sent to owners of offending machines, with nearly 100% positive feedback (later, the increasing load made it impossible)

  11. Development • It all started with test and guest • October 2004 – more than 100 attempts in a day • Gradual growth, typically 2-3 different attackers with varying number of attempts every day • Peak: July 13, 2005 with 2465 attempts • Quite even distribution over the year - the longest break was 4 days

  12. Geography: the top Devil's Dozen • Country Attacks Attempts1, US 105 113002. Korea 101 31633. Italy 9 26684. France 11 23445. Taiwan 39 18156. Japan 18 16767. Hong Kong 8 16478. UK 13 13729. China 71 130210. Canada 6 86711. Germany 10 49212. Sweden 4 43513. India 13 409 ... there were 53 countries. • BY THE WAY: Estonia 1, Finland 0

  13. Happens in better families, too... • Assorted list of attack sources: • Royal Institute of Technology (KTH), Sweden • Societé Europeénne des Satellites, Luxembourg • Leibniz-Rechenzentrum & Hochschule für Kunste Bremen,Germany • Centre de Calcul de l'Universite Bourgogne, France • Zagreb University, Croatia • University of Colorado & National Association for Child Care, USA • University of Saskatchewan, Canada • Ministry of Education Computer Center, Taiwan • Kumamoto Gakuen University, Japan • ...

  14. Lazy ISP-s? • A substantial number of attacks originated from large-scale, “ordinary user” broadband service providers riding the first wave of broadband boom • Bellsouth.net (USA), Hanaro Telecom (Korea), Cable i Televisio y Catalunya (Spain/Catalunya).. • Are some guys neglecting their homework...?

  15. National issue • During the survey, none of the attempts matched the real usernames of the server – were we just lucky? • No, just the usernames were Estonian ones • There were some attempts with Japanese and Finnish names, but most were English (like most spam dorks, these guys must be US-centered chauvinists :-) - but we're happy with this) • The more nontrivial the usernames are, the better

  16. Some countermeasures • Educate your users (yes, I know - I am asking way too much... :-) ) • Set a strict policy on passwords • In sshd_config: • Set PermitEmptyPasswords to No • Set Protocol to 2 • Set PermitRootLogin to No • List your usernames in AllowUsers (if possible) • Limit connection time and/or allowed connections • Use DenyHosts (http://denyhosts.sourceforge.net) or similar script to block major offenders

  17. Final words • Despite their simplicity, SSH probe attacks are an increasing issue in computer security • Linux and Co are increasingly used by non-tech people – cluelessness and bad habits can mix together into an explosive cocktail • Ordinary users of Internet should receive much more training than currently (it is practically nobody's business now) • ISP's should review their policies • The key: COOPERATION and EDUCATION

  18. (see also http://www.kakupesa.net/kakk/rant for more on the related issues) Thank you!

More Related