Okay okay, calm down people…. calm down… This week rumours spread all over the internet that a 0-day attack against openSSH was used to compromise computer systems. Everyone was advised to upgrade to the latest version of openSSH even though there was not a single piece of evidence of this attack. Sure there was a nice (and somewhat entertaining) ‘script’ dump of an alledged attack (also read the small comments inside the script dump, very funny at times). In this dump you can see that they used a tool called 0penPWN (also called 0pen0wn) that alledgedly breaks openSSH. But I think we are all able to fake some output aren’t we? Here’s another dump of an alledged attack.

Damien Miller (openSSH) responded that he still has not gotten a single piece of evidence of a 0-day exploit. He summarizes some of the possible attacks and argues that its very unlikely that openSSH can be compromized in those ways. It seems that the actual hacks were brute-force password attacks that actually succeeded.

I protect my system against brute-force attacks by allowing only 5 failures from a single host. When 5 failures (like invalid usernames) are detected the host is blocked for 4 hours. It does have a whitelist of known hosts that I will never block. This is a simple script that is constantly monitoring messages from the ssh daemon. Oh and when I mean block I’m talking iptables so all packets are dropped and the attacker will be slowed down and the attack comes to a grinding halt. This approach works like a charm. When my server was just online I got around 10 to 20 attacks per day that lasted for hours. Now I only get a few per day which are automatically detected and killed at a very early stage.

Here’s an extract from the sshd logfile (some fields are blurred). Here you’ll see 5 errors from a specific IP (98.173.XXX.XXX) and that’s it. From there on packets are dropped from that IP address.

extract from sshd.log

Here’s an extract from the logfile of my script that shows what clients are blocked and unblocked. You will see that we block the attacker and around 4 hours later we re-enable it. When he’s still attacking he will be blocked for another 4 hours etc.

extract from the logfile of my script

This entry was posted on Friday, July 10th, 2009 at 10:17 and is filed under computer, security, software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.