On Fri, Oct 22, 2004 at 09:25:43AM +1300, Perry Lorier wrote:
I have had several people talk to me over the last few days about having their machine compromised. The infection vector appears to be weak ssh passwords. The compromise appears to based on people scanning for open ssh ports then brute forcing passwords before installing a Trojan that connects to IRC and accept commands from a channel (such as .ddos <ip>).
For a few weeks (or more), some of us have noticed lots of connection attempts on port 22 (the ssh) port from IP addresses all around, suggesting it is an automated worm rather than `just' script kiddies. If you have a machine running sshd on a publicly reachable interface, you might want to limit access to it. You can either investigate using tcpwrappers, as Perry suggested, or use the standard iptables firewalling... for people who aren't familiar with it, here is part of my iptables setup: # set up a new chain for ssh traffic iptables -N ssh_syn # filter the start of incoming ssh connections (includes forwarded!) iptables -A INPUT -p tcp --syn --dport 22 -j ssh_syn # only allow IP addresses that I'm likely to be using to connect iptables -A ssh_syn -s 10.0.0.0/8 -j ACCEPT iptables -A ssh_syn -s 192.168.0.0/16 -j ACCEPT # university of waikato iptables -A ssh_syn -s 130.217.0.0/16 -j ACCEPT # iconz adsl dynamic range iptables -A ssh_syn -s 210.48.0.0/17 -j ACCEPT iptables -A ssh_syn -s 210.185.0.0/19 -j ACCEPT # hoiho.wlug.org.nz iptables -A ssh_syn -s 203.97.10.50/32 -j ACCEPT # default is to deny incoming ssh connections iptables -A ssh_syn -j LOG iptables -A ssh_syn -j REJECT No, it's not perfect (especially if/when my isp changes the allocations for dynamic ip), but it stops all traffic from outside those networks. The "-j LOG" means that all the other attempts get logged to syslog - I see 11 attempts in the last few days to connect to my sshd, and 23 attempts in the week before... John