I have a few servers at a colocation datacenter for running a number of sites, including this one. I have written before about detecting brute force attacks in logs. I have been watching the attacks continue in my logs, and have noticed a few things:
1. The attacks, as before, are coming from many different sources, nearly simultaneously.
2. It’s interesting that the brute force account and password guessing are so well coordinated – generally I see the same user name tried by multiple hosts sequentially, the moving on to new name, usually in alphabetical order.
3. The attacks are now coming in via multiple vectors. Previously, the attacks were only carried out using ssh connections, but are not also using pop3, imap and ftp.
4. The attacks have started trying to intelligently guess the name of accounts on the server, based on the domain name. In my case, I am using cPanel/WHM, where each domain has a shell account, and generally the user name is some derivation of the domain name. Previously, I would only see a dictionary of names being sequentially tried, but now I see the user name “syslog” being tried many times. From the perspective of an attacker, it’s much better to only have one variable to brute force (the password) rather than two (user name and password).
So, what can I infer about the attackers given the data I have seen?
1. There are some number of botnets being used to guess passwords of accounts, and the zombies are being very well coordinated by some command and control infrastructure.
2. The attackers are trying very hard to infect web servers. Once an attacker has access to modify a site, he can do a number of things; from send spam to integrate browser exploit code into the normal site(s). The latter is particularly interesting, since there is substantial money to be made from installing adware/spyware/other maleware on desktops.
What can be done to counter these threats?
1. Enforce minimum password complexity (8 character minimum is a good start)
2. Choose user names that can’t be directly linked to a domain. For instance, the user name “syslog” would be easily guessable for the domain www.syslog.org. A better name might be “syslog22”.
3. If unique usernames are used as identified in #2 above, logs can be monitored proactively for instances where the real account name is being tried unsuccessfully. If there is not an externally discernible way to identify the user name,appearances of such entries in logs could indicate that the system has been compromised in some other manner.
I have been the subject of a pretty persistent brute force attack, where the attacker is attempting to ssh in with thousands of different host names and presumably weak passwords. Anyone who has run a server for a while has been the subject of such attacks. Typically, you can see the attack starting with names that start with A and work down to Z. I do not recall, though, a time where the attack was coming from several (well, hundreds actually) hosts. The ones I have seen in the past were all from one IP address. Some times, I would see several attacks running simultaneously from different hosts, but it was clear they were not related. Read more…
RSS Error: A feed could not be found at http://www.syslog.org/forum/.xml/?type=rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.