[Summary] ongoing ssh attacks

From: Chris Hoogendyk <hoogendyk_at_bio.umass.edu>
Date: Thu Oct 29 2009 - 15:46:35 EDT
Original message at the bottom.

I got several replies on how to deal with ssh, but we've already covered 
that ground in previous postings to the list. What I really wanted to 
know was the significance of that first log line. Nick Hindley and The 
Hatter both supplied the answer -- 
http://www.derkeiler.com/Mailing-Lists/securityfocus/Secure_Shell/2004-12/0007.html:

The ssh client end first attempts to login with authentication method 
"none". That is not allowed and produces the "Failed none" entry in the 
logs. It also returns a list of what authentication methods are allowed. 
The client then uses one of those methods, e.g. keyboard-interactive.

So, there aren't any additional security implications. It's still a 
brute force distributed ssh attack. Besides the summary I previously 
posted on how to deal with those, someone in our group just this morning 
forwarded this link -- http://lwn.net/Articles/357960/ , which covers a 
lot of the same ground, but is a nice accessible summary with some 
interesting discussion at the end.


---------------

Chris Hoogendyk

-
   O__  ---- Systems Administrator
  c/ /'_ --- Biology & Geology Departments
 (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst 

<hoogendyk@bio.umass.edu>

--------------- 

Erdvs 4





-------- Original Message --------
Subject: 	ongoing ssh attacks
Date: 	Thu, 29 Oct 2009 13:02:27 -0400
From: 	Chris Hoogendyk <hoogendyk@bio.umass.edu>
To: 	Sun Managers List <sunmanagers@sunmanagers.org>



I've blocked upwards of 2000 IP addresses so far. New ones keep 
appearing. Any IP that attempts a root login is automatically considered 
bad. They get blocked as soon as they appear. That's in spite of the 
fact that root logins are simply not allowed based on sshd_config.

However, I'm seeing entries in authlog that look like this:

Oct 28 15:44:01 myserver sshd[17063]: Failed none for root from 
125.87.1.243 port 53637 ssh2
Oct 28 15:44:02 myserver sshd[17063]: Failed keyboard-interactive for 
root from 125.87.1.243 port 53637 ssh2

I thought "Failed none" meant that someone had logged in without 
failure. But this shows a "Failed none" immediately followed by a 
"Failed keyboard-interactive". Can someone tell me what that means? Or 
what the implication is in terms of the attack and my system security? 
My /etc/ssh/sshd_config does have the setting "PermitRootLogin no".


-- 
---------------

Chris Hoogendyk

-
   O__  ---- Systems Administrator
  c/ /'_ --- Biology & Geology Departments
 (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst 

<hoogendyk@bio.umass.edu>

--------------- 

Erdvs 4
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Oct 29 14:47:47 2009

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:15 EST