Update – Apparently it was about May of this year when there was a large surge in ssh password attacks. I believe that my computer became a target sometime after that. Here are some good articles reporting on the situation:
“Brute-Force SSH Server Attacks Surge” by InformationWeek
“Brute-force SSH attacks surge by SC Magazine
This may not be news to many of you, but my new home development machine is under attack! This isn’t your typical script kiddie HTTP attack, but rather a full-blown SSHD password guessing attack. Unfortunately, I did not take screenshots of everything as I detected the attack (which has been going on for about two weeks now) but I do have a few screenshots to help describe the timeline of events:
1 – I opened process explorer (an excellent replacement for the Windows Task Manager) to investigate my current cpu usage and running processes. The screenshot above doesn’t show it because I didn’t take a screenshot at the time, but what drew my attention to a possible attack was multiple sshd.exe processes appearing and then disappearing (brightly colored in red to indicate that the process was marked for destruction). My immediate instinct was that somebody was making connections and attempting to guess a password!
2 – I then instinctively (i.e., immediately and as fast as I could) opened a command prompt and typed the command netstat -a which shows the list of active TCP connections. Sure enough, there was a number of connections to static-217-133-194-98.clienti.tiscali.it
3 – Next I decided to see if the event viewer had recorded any activity. Wow! Over 30,000 events relating to sshd activity. The screenshot above shows the very first event recording a break-in attempt. On the evening of November 25, I switched my hardware firewall to redirect all port 22 SSH requests to my new computer. The next morning at 11:55:19 AM, the first attack commenced and proceeded to send a new username/password login attempt every 8 seconds for just over 1.5 hours ending at 1:19:19 PM. The attack sequence generated 2489 entries in the event viewer. You can see that the entry records a failed password guess for non-existent user root. The attacking computer then tried a different password before switching to a new user account ftp. Again, this is a non-existent user account. Then the user tried a second time with this user account before switching to another account: sales.
The first ten user names attempted are shown below in order:
| Username |
root |
ftp |
sales |
admin |
andrea |
backup |
guest |
guest1 |
guest2 |
guest3 |
Then the attacks suddenly cease. The next day at 11/27 9:25:01AM, I received this message:
sshd: PID 4688: Did not receive identification string from 65.164.104.70
followed 8 hours later by a successful remote login from my grandmother’s computer in Indiana where we were visiting for the holidays: sshd: PID 2736: Accepted password for HIDDEN from VALID IP ADDRESS port 29287 ssh2. Seventeen minutes later I received another identification string message: sshd: PID 2164: Did not receive identification string from 89.248.104.36 followed another six hours later by: sshd: PID 2164: Did not receive identification string from 89.248.104.36
A little over 3 hours later, the next attack began at 11/28 2:30:44AM with this message:
sshd: PID 2880: Did not receive identification string from 148.245.173.248 followed by a series of password guesses lasting 23 minutes ending at 11/28 2:53:28AM. This series of attack had one additional message not recorded in the first attack sequence: sshd: PID 4068: reverse mapping checking getaddrinfo for na-173-248.na.avantel.net.mx [148.245.173.248] failed - POSSIBLE BREAK-IN ATTEMPT! This is evidence of an IP address spoofing attempt whereby the request reported that it was originating from a local address when the request actually originated (and was detected as originating) from an external address [148.245.173.248].
Attacks like this continued off and on sometimes with 24 hours elapsing between break-in attempts until I detected today’s attack as described above. I was suspicious that attacks had also been launched on my old development computer prior to the switchover. Sure enough, I looked at the event viewer and there were thousands of entries dating back to November 12.
Initial Response
In addition to what I have already described above, I took the following actions within the first hour of detecting the attacks:
- Stopped and disabled the cygwin sshd service
- Disabled the Vista user account under which the sshd server runs
- Began auditing to see if any of the break-in attempts had been successful. Specifically I was looking for sshd messages containing the string
password accepted, which is what is recorded in the event viewer whenever I successfully login from a remote computer - I haven’t changed anything with the Windows firewall since I had already disabled the SSHD service, but on my hardware firewall I decided to make myself at least a tiny bit more invisible by unchecking “respond to ping”
- With my paranoia level raised, I made a small change on my public web server to change the directory under which phpmyadmin runs … I already had .htaccess Apache basic authentication enabled, but I felt like throwing a little security-by-obscurity in wouldn’t hurt other than having to remember the new directory name.
Next Steps
- Continue auditing to verify that no break-ins were successful
- Notify the Internet service provider for each offending IP address of the break-in attempts along with a screenshot and/or event log
- Update the port forwarding service on my hardware firewall to point to my nonstandard port as well as updating the port on which the cygwin sshd service runs
- Update the built-in Windows Vista firewall to include a rule that allows connections to the sshd service only from Samford IP addresses, which is the only place where I connect from when not traveling
- Update the built-in Windows Vista firewall with a rule (disabled initally) that will allow connections from all IP addresses – I will enable this rule only when I am going on a trip or when I know ahead of time that I may be connecting from any other non-Samford IP address