FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 03-19-2009, 04:50 PM
Michael Higgins
 
Default Usernames in ssh attacks

On Thu, 19 Mar 2009 10:43:13 -0500
Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:

> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
> <johan.bluecreek@gmail.com> wrote:
> > I've always had usernames when it comes to sshd's log entries in
> > auth.log, like the following:
> >
> > <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
> > <username> from <ip-adress>
>
> Well, I don't use PAM, just key-based authentication only, so I always
> see only the IP getting rejected since it doesn't even give them a
> place to try a user/password It's just weird that it is refusing a
> connection from user@domain rather than simply the IP. I guess they
> could be trying to ssh user@myhost.net or something. The one with
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
> interesting. I wonder what that's all about.
>

My $.02:

perl -MMIME::Base64 -e 'print decode_base64("U2FsdGVkX19g32YZVKMsQkl+mouWITILOic Y4Iq9OQo=")'
Salted__`�fT�,BI~���!2
:'���9

I'm not expert, so Google led me to OpenSSL's command-line "enc" utility:

echo "U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=" | openssl enc -d -base64 -a -idea
enter idea-cbc decryption password:

... or like that. Seems like an attempt to send user and password together.

I suppose if you know what are possible user/pass combos on your system, and can suss the crypt type from the signature (I've no idea if possible), you can see if it's a real hack attempt.

It is interesting, I think... but I'm just guessing. ;-)

Cheers,

--
| /| | | ~ ~
| / | |---| `|` ?
| |ichael | |iggins ^ /
michael.higgins[at]evolone[dot]org
 
Old 03-19-2009, 06:01 PM
Nicolas Sebrecht
 
Default Usernames in ssh attacks

On Thu, Mar 19, 2009 at 10:19:37AM -0500, Paul Hartman wrote:
>
> In my ssh logs this morning I noticed a couple login attempts with
> usenames on them... I've never seen that before. It is usually just an
> IP address.
>
> Mar 18 20:19:48 [sshd] refused connect from postmaster@dns.cablecentro.net.co
> Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
> Mar 18 23:44:44 [sshd] refused connect from
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107
> Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66
>
> weird... maybe the bad guys are up to something new.

It could be a try to a format string vulnerability or just a bot doing
stupid and irrelevant things. I think you should ask to the guys on the
openssh project.

--
Nicolas Sebrecht
 
Old 03-19-2009, 10:40 PM
Adam Carter
 
Default Usernames in ssh attacks

> In my ssh logs this morning I noticed a couple login attempts with
> usenames on them... I've never seen that before. It is usually just an
> IP address.
>
> Mar 18 20:19:48 [sshd] refused connect from
> postmaster@dns.cablecentro.net.co
> Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
> Mar 18 23:44:44 [sshd] refused connect from
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107
> Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66
>
> weird... maybe the bad guys are up to something new.

I'd say they've just made a mistake in their DNS config (or maybe used a wildcard record), and set the PTR record to be postmaster@dns.cablecentro.net.co instead of a hostname. I'm assuming the reason you usually see IP addresses is that there is no PTR record set for that IP....

Are you running Fail2ban or similar?

Rgs,
Adam
 
Old 03-20-2009, 11:25 AM
Eric Martin
 
Default Usernames in ssh attacks

Paul Hartman wrote:
> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blbck
> <johan.bluecreek@gmail.com> wrote:
>> I've always had usernames when it comes to sshd's log entries in
>> auth.log, like the following:
>>
>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
>> <username> from <ip-adress>
>
> Well, I don't use PAM, just key-based authentication only, so I always
> see only the IP getting rejected since it doesn't even give them a
> place to try a user/password It's just weird that it is refusing a
> connection from user@domain rather than simply the IP. I guess they
> could be trying to ssh user@myhost.net or something. The one with
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
> interesting. I wonder what that's all about.
>

I too use only PubKey but they need to send a username so ssh knows
where to look for the public key. Your two options boil down to

1) install fail2ban (I installed it on all of my external ssh boxes and
I love it)
2) change the ssh port to something other than 22 (Security by Obscurity
but it frees up your logs so you can see real problems).

The two may me mutually exclusive as I'm not sure if you can tweak
fail2ban's ssh rules to monitor another port.

I just chock it up as log spam unless I see definite bad patterns. But
again, with public key access only and banning root from logging in via
ssh I don't think anybody is getting far unless there is a flaw in ssh.

--
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
 
Old 03-20-2009, 02:09 PM
Paul Hartman
 
Default Usernames in ssh attacks

On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin <freak4uxxx@gmail.com> wrote:
> Paul Hartman wrote:
>> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blbck
>> <johan.bluecreek@gmail.com> wrote:
>>> I've always had usernames when it comes to sshd's log entries in
>>> auth.log, like the following:
>>>
>>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
>>> <username> from <ip-adress>
>>
>> Well, I don't use PAM, just key-based authentication only, so I always
>> see only the IP getting rejected since it doesn't even give them a
>> place to try a user/password It's just weird that it is refusing a
>> connection from user@domain rather than simply the IP. I guess they
>> could be trying to ssh user@myhost.net or something. The one with
>> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
>> interesting. I wonder what that's all about.
>>
>
> I too use only PubKey but they need to send a username so ssh knows
> where to look for the public key. Your two options boil down to
>
> 1) install fail2ban (I installed it on all of my external ssh boxes and
> I love it)
> 2) change the ssh port to something other than 22 (Security by Obscurity
> but it frees up your logs so you can see real problems).
>
> The two may me mutually exclusive as I'm not sure if you can tweak
> fail2ban's ssh rules to monitor another port.
>
> I just chock it up as log spam unless I see definite bad patterns. But
> again, with public key access only and banning root from logging in via
> ssh I don't think anybody is getting far unless there is a flaw in ssh.

Oh, I am not concerned about the attacks. I just thought it was weird
that I saw user@domain when I normally see only IP or only domain.
They are already refused connection as the log shows

Thanks,
Paul
 
Old 03-20-2009, 02:29 PM
Eric Martin
 
Default Usernames in ssh attacks

Paul Hartman wrote:
> On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin <freak4uxxx@gmail.com> wrote:
>> Paul Hartman wrote:
>>> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blbck
>>> <johan.bluecreek@gmail.com> wrote:
>>>> I've always had usernames when it comes to sshd's log entries in
>>>> auth.log, like the following:
>>>>
>>>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
>>>> <username> from <ip-adress>
>>> Well, I don't use PAM, just key-based authentication only, so I always
>>> see only the IP getting rejected since it doesn't even give them a
>>> place to try a user/password It's just weird that it is refusing a
>>> connection from user@domain rather than simply the IP. I guess they
>>> could be trying to ssh user@myhost.net or something. The one with
>>> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
>>> interesting. I wonder what that's all about.
>>>
>> I too use only PubKey but they need to send a username so ssh knows
>> where to look for the public key. Your two options boil down to
>>
>> 1) install fail2ban (I installed it on all of my external ssh boxes and
>> I love it)
>> 2) change the ssh port to something other than 22 (Security by Obscurity
>> but it frees up your logs so you can see real problems).
>>
>> The two may me mutually exclusive as I'm not sure if you can tweak
>> fail2ban's ssh rules to monitor another port.
>>
>> I just chock it up as log spam unless I see definite bad patterns. But
>> again, with public key access only and banning root from logging in via
>> ssh I don't think anybody is getting far unless there is a flaw in ssh.
>
> Oh, I am not concerned about the attacks. I just thought it was weird
> that I saw user@domain when I normally see only IP or only domain.
> They are already refused connection as the log shows
>
> Thanks,
> Paul
>

yeah, after I read your message I realized that I didn't quite answer
your question. Somebody mentioned they probably configured the dns PTR
record incorrectly which is my guess.

--
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
 

Thread Tools




All times are GMT. The time now is 06:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org