Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Massive SSH infections
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Massive SSH infections

LeviLevi Member
edited August 2020 in General

https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/ -- looks like SSH got STD. Be safe out there.

Mitigation:

  • Use pubkey instead of passwords
  • If you are forced to use password, make it 21+ symbols
«13

Comments

  • gkzgkz Member

    Thanks, saw it on bleepingcomputer too

  • 0xbkt0xbkt Member
    edited August 2020

    Use Tailscale. It does the comment below in a foolproof way.

  • hohlhohl Member

    @LTniger said:
    Mitigation:

    ... and if possible, try to avoid SSH ports open to the public at all. For example, through setting up one (or better two) private, self-hosted VPN servers and add firewall rules to each server to only allow incoming SSH traffic from the VPN IPs.

    Thanked by 1SteveMC
  • Can also do port knocking as an added layer of security.

  • +1 with @hohl

  • raindog308raindog308 Administrator, Veteran
    edited August 2020

    For those too lazy to read - SSH does not have a vulnerability. Rather, someone just wrote a more efficient skiddy script. If you're using 12345 as your root password and you allow root passwords, you'll get hacked. This is really not news.

    @LTniger said: Use pubkey instead of passwords

    image

    @hohl said: ... and if possible, try to avoid SSH ports open to the public at all. For example, through setting up one (or better two) private, self-hosted VPN servers and add firewall rules to each server to only allow incoming SSH traffic from the VPN IPs.

    image

  • Who's the girl name?

    Thanked by 1coolice
  • jsgjsg Member, Resident Benchmarker

    @raindog308 said:
    For those too lazy to read - SSH does not have a vulnerability. Rather, someone just wrote a more efficient skiddy script. If you're using 12345 as your root password and you allow root passwords, you'll get hacked. This is really not news.

    Yes, and sorry, No. Yes, this attack does not use a vulnerability particular to SSH, but No, because it's much worse than "using 12345 as your root password and you allow root passwords".

    guardicore wrote:
    Aggressive – Brute-force is based on an extensive dictionary. By comparison, DDG, a recently discovered P2P botnet, used only the username “root”.

  • @ErawanArifNugroho said:
    Who's the girl name?

    Now to the really important part of this thread.

  • LeviLevi Member
    edited August 2020

    @raindog308 said: someone just wrote a more efficient skiddy script.

    From description of malware it seems it is created by highly professional software developers because it use custom in-house developed protocol for communication.

  • tetechtetech Member
    edited August 2020

    @ErawanArifNugroho said:
    Who's the girl name?

    https://en.wikipedia.org/wiki/Pernille_Harder_(footballer)

    You may be legitimately concerned that I know this information.

  • hahahaa thanks

  • It's so simple to configure a secured SSH installation: disable password and root login. That's it. While you are at it, configure a fail2ban sshd jail. Further more, configure psad to report/auto ban port scanning. You'd be amazed at how many attempted port scanning/hacking your server got in a day.

  • raindog308raindog308 Administrator, Veteran

    @ErawanArifNugroho said: Who's the girl name?

    Alas for your aspirations, according to Wikipedia she has closed her goal to men.

    Thanked by 1ErawanArifNugroho
  • Is thier any way to add 2fa for ssh login?

  • raindog308raindog308 Administrator, Veteran

    @codelock said: Is thier any way to add 2fa for ssh login?

    On Saturday August 22, LowEndBox will feature a tutorial on using Google Authenticator as 2FA for your Linux ssh connections.

  • @hohl said:

    @LTniger said:
    Mitigation:

    ... and if possible, try to avoid SSH ports open to the public at all. For example, through setting up one (or better two) private, self-hosted VPN servers and add firewall rules to each server to only allow incoming SSH traffic from the VPN IPs.

    I feel old for that scenario port knocking is invented ... I feel old... Am I the only IT / Admin under 40 that use that .....

    Supported in CSF - explained in readme.txt Paragraph 19

    https://download.configserver.com/csf/readme.txt

  • Another solution is to listen only on IPv6. Generate a rendom IPv6 address on your VPS and use it for SSH only.

  • @serveradministrator said:
    Another solution is to listen only on IPv6. Generate a rendom IPv6 address on your VPS and use it for SSH only.

    I understand by Whyyyyyyyyyyyyyyyyyyyy :|

    (rhetorical)

  • @serveradministrator said:
    Another solution is to listen only on IPv6. Generate a rendom IPv6 address on your VPS and use it for SSH only.

    Also change the port. Port scans on IPv6 are rare. But I see scanners once in a while scanning port 22 and 80 on IPv6.

  • raindog308raindog308 Administrator, Veteran

    @serveradministrator said: Another solution is to listen only on IPv6. Generate a rendom IPv6 address on your VPS and use it for SSH only.

    Practically speaking, this increases security because there are less hacking attempts over ipv6 than ipv4, and the ipv6 address space is much bigger so it is more difficult to land on an SSH port. But still, it's security by obscurity.

  • DPDP Administrator, The Domain Guy

    This is what I implement on my servers - probably others too, on theirs.

    1. Non-standard SSH port
    2. Limit/Whitelist IPs allowed to connect via the SSH port (Fw)
    3. Remove passwords
    4. SSH key-based authentication only

    You could even throw in sshd: ALL in hosts.deny and chuck your preferred IPs in hosts.allow on top of it all :joy:

  • @Carne said:

    @serveradministrator said:
    Another solution is to listen only on IPv6. Generate a rendom IPv6 address on your VPS and use it for SSH only.

    Also change the port. Port scans on IPv6 are rare. But I see scanners once in a while scanning port 22 and 80 on IPv6.

    Yes, changed the port on IPv6 and also disabled password based authentication with key only login.

  • jsgjsg Member, Resident Benchmarker
    edited August 2020

    All off the above, plus magic candles and of course only passwords with min. 120 characters, min.12 of which must be capitals, min. 10 of which must be digits - but not add up to 66! - and min. 10 of which must be special chars.
    Alternatively the local hair dressers web server can be secured by RSA-8192, DH, and a triple Rittberger while Bruce Schneier's Twofish code is recitated.
    Also daily changing LE client certs should be required.

    And forget about IPv6, that half witted "solution". For the local hair dressers web server to be secure we need IPv8 with 512 bit addresses plus 40 bits for ports, better even 56 bits. That'll show them attackers their limits!

    Thanked by 2Gamma17 poisson
  • raindog308raindog308 Administrator, Veteran

    @jsg said: All off the above, plus magic candles

    I wouldn't dismiss everything above. Allowing keys only instead of just passwords is more secure...no?

  • Are keys always more secure? I do not think so. There are cases when keys are better and cases when passwords are better. A lot of people here working in hosting industry might consider keys to be better simply because it works well for their use case.

    From technical point of view i do not see how average (still possible to remember but not 12345) password with rate limiting is worse than a key. Even considering bruteforce is attempted by botnet.

  • cpsdcpsd Member

    Thanks guys for psad's idea. I am using non-root + port knocking + fail2ban +different ssh port + 2FA. PSAD could help a little bit too!

  • @raindog308 said:

    @ErawanArifNugroho said: Who's the girl name?

    Alas for your aspirations, according to Wikipedia she has closed her goal to men.

    Uh, you had to look that up on Wikipedia? The jersey/sport was a dead giveaway.

  • jackbjackb Member, Host Rep

    @Gamma17 said:
    Are keys always more secure? I do not think so. There are cases when keys are better and cases when passwords are better. A lot of people here working in hosting industry might consider keys to be better simply because it works well for their use case.

    From technical point of view i do not see how average (still possible to remember but not 12345) password with rate limiting is worse than a key. Even considering bruteforce is attempted by botnet.

    Keys are objectively more secure than an average password (>112 bits Vs even a strong password will be nowhere near that).

  • Gamma17Gamma17 Member
    edited August 2020

    @jackb said:
    Keys are objectively more secure than an average password (>112 bits Vs even a strong password will be nowhere near that).

    But you are looking at it from just "how strong is it against bruteforce" point of view. Passwords are weaker here, but also ratelimiting mitigates this weakness.

    There are other considerations though, which in specific cases can easily make keys less secure. Especially keys with empty passwords or with 12345 passwords a lot of people use because of "but keys are so secure i do not need a password" complacency.

    Thanked by 1tetech
Sign In or Register to comment.