SSH probes

1
SSH probes the price of Unix mainstreaming?

• Kaido Kikkas
• Centre for Educational Technology
• Tallinn University
• Tallinn, Estonia
• kaido.kikkas_at_kakupesa.net
• ICWI 2005, Lisbon

2
This is no news...

• Microsoft WindowsViruses and Worms 17,500
  (symantec.com)Spyware and Adware programs
  78,000 (www.pestpatrol.com)80 of PCs infected
  with spyware (webroot.com)
• Last year (2004) alone- 500 new Trojans
  (www.pestpatrol.com)- 500 new keyloggers
  (www.pestpatrol.com)- 1,287 new adware apps
  (www.pestpatrol.com)- 7,360 new viruses and
  worms (symantec.com)

3
To make things worse...

• More than often, the main problem is still
  located between the keyboard and the chair
• Training of ordinary users is sadly neglected
  the exploding (mis)use of PCs has led to the
  situation where the ignorance of one user can
  have significant impact on thousands of others
  (with a wide variety of Bad Things, e.g. botnets)
• Some people just seem to never learn...
• BUT MAYBE let's give them more secure systems
  than MS Windows?

4
Linux Co

• The Original Geek System
• Good record in security
• Perceived more difficult than Windows gt
  relatively more knowledgeable user base
• BUT - the gradual changes during the decade
• More business and marketing, less hacker attitude
• Lots of ordinary users moving over, many of them
  bring along questionable security practices
  obtained on Windows (e.g. admin rights with no
  password)
• Are the strong points going to last?
• How to protect users from themselves...?

5
SSH

• A major protocol of Internet, has replaced Telnet
• Also used in file transfer (sftp, scp)
• Native to Unix-like systems, must be added to
  Windows gt one of the few cases where most
  attack targets are not Windows systems
• Many Unix-like systems, e.g. some Linux
  distributions, tend to install and run an SSH
  server by default gt casual users may be
  perfectly unaware of the fact and related dangers
  (especially if the firewall is down by default)

6
Sometimes, simple things work...

• SSH probing a real simple kind of attack
• Similar to doortesting in a multi-apartment house
• ... and like in that house, some doors are left
  open
• All you need is a simple script which tries a
  selection of often-used user names complete with
  no or trivial password
• Relies wholly on laziness or cluelessness and
  is surprisingly often successful

7
An excerpt from BruteSSH script

• while(fgets(buff,sizeof(buff),fp))cstrchr(buff
  ,'\n')if(c!NULL) c'\0'if
  (!(fork()))//child where0checkauth("test","
  test",buff)checkauth("guest","guest",buff)chec
  kauth("admin","admins",buff)checkauth("admin","a
  dmin",buff)checkauth("user","user",buff)checka
  uth("root","password",buff)checkauth("root","roo
  t",buff)checkauth("root","123456",buff)checkau
  th("test","123456",buff)checkauth("test","12345"
  ,buff)

8
31337 K1dd13 stuff

• Mostly used by low-profile malefactors like
  script kiddies (mostly junior crackers with no
  real technical skill)
• Despite this, the results can be of similar scale
  with much more sophisticated attacks (at least in
  cases of root compromises)
• A well-known source of botnets or zombie networks
  used in major DDoS (Distributed Denial of
  Service) attacks on more important targets
• Also other Bad Things may happen (e.g. sniffing)

9
The kakupesa.net survey

• SSH probes were surveyed on a small home-based
  server for one year (July 17, 2004 July 17,
  2005)
• The server ran White Box Linux 3 at that time
  (nowadays it uses CentOS 4)
• In addition to running home network, the server
  served some neighbours and carried all the
  teaching materials (for three universities) of
  the speaker - the load was light but not
  insignificant

10
The attacks

• During the year, the number of the attempts went
  from a couple a week up to several hundreds a day
• Total for one year 32 370
• Most sources were identifiable with traceroute,
  ping and other utilities address counterfeiting
  (spoofing) was hardly used
• At first, notices were sent to owners of
  offending machines, with nearly 100 positive
  feedback (later, the increasing load made it
  impossible)

11
Development

• It all started with test and guest
• October 2004 more than 100 attempts in a day
• Gradual growth, typically 2-3 different attackers
  with varying number of attempts every day
• Peak July 13, 2005 with 2465 attempts
• Quite even distribution over the year - the
  longest break was 4 days

12
Geography the top Devil's Dozen

• Country Attacks Attempts1, US 105 113002.
  Korea 101 31633. Italy 9 26684.
  France 11 23445. Taiwan 39 18156.
  Japan 18 16767. Hong Kong 8 16478.
  UK 13 13729. China 71 130210.
  Canada 6 86711. Germany 10 49212.
  Sweden 4 43513. India 13 409 ...
  there were 53 countries.
• BY THE WAY Estonia 1, Finland 0

13
Happens in better families, too...

• Assorted list of attack sources
• Royal Institute of Technology (KTH), Sweden
• Societé Europeénne des Satellites, Luxembourg
• Leibniz-Rechenzentrum Hochschule für Kunste
  Bremen,Germany
• Centre de Calcul de l'Universite Bourgogne,
  France
• Zagreb University, Croatia
• University of Colorado National Association for
  Child Care, USA
• University of Saskatchewan, Canada
• Ministry of Education Computer Center, Taiwan
• Kumamoto Gakuen University, Japan
• ...

14
Lazy ISP-s?

• A substantial number of attacks originated from
  large-scale, ordinary user broadband service
  providers riding the first wave of broadband boom
• Bellsouth.net (USA), Hanaro Telecom (Korea),
  Cable i Televisio y Catalunya (Spain/Catalunya)..
• Are some guys neglecting their homework...?

15
National issue

• During the survey, none of the attempts matched
  the real usernames of the server were we just
  lucky?
• No, just the usernames were Estonian ones
• There were some attempts with Japanese and
  Finnish names, but most were English (like most
  spam dorks, these guys must be US-centered
  chauvinists -) - but we're happy with this)
• The more nontrivial the usernames are, the better

16
Some countermeasures

• Educate your users (yes, I know - I am asking way
  too much... -) )
• Set a strict policy on passwords
• In sshd_config
• Set PermitEmptyPasswords to No
• Set Protocol to 2
• Set PermitRootLogin to No
• List your usernames in AllowUsers (if possible)
• Limit connection time and/or allowed connections
• Use DenyHosts (http//denyhosts.sourceforge.net)
  or similar script to block major offenders

17
Final words

• Despite their simplicity, SSH probe attacks are
  an increasing issue in computer security
• Linux and Co are increasingly used by non-tech
  people cluelessness and bad habits can mix
  together into an explosive cocktail
• Ordinary users of Internet should receive much
  more training than currently (it is practically
  nobody's business now)
• ISP's should review their policies
• The key COOPERATION and EDUCATION

18
Thank you!

• (see also http//www.kakupesa.net/kakk/rant for
  more on the related issues)