[gentoo-user] Usernames in ssh attacks

[gentoo-user] Usernames in ssh attacks

[Paul Hartman]

In my ssh logs this morning I noticed a couple login attempts with
usenames on them... I've never seen that before. It is usually just an
IP address.

Mar 18 20:19:48 [sshd] refused connect from postmaster@dns.cablecentro.net.co
Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
Mar 18 23:44:44 [sshd] refused connect from
[U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107
Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66

weird... maybe the bad guys are up to something new.

Re: [gentoo-user] Usernames in ssh attacks

[Johan Blåbäck]

I've always had usernames when it comes to sshd's log entries in
auth.log, like the following:

<time> <hostname> sshd[5926]: error: PAM: Authentication failure for
<username> from <ip-adress>


On 3/19/09, Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:
> In my ssh logs this morning I noticed a couple login attempts with
> usenames on them... I've never seen that before. It is usually just an
> IP address.
>
> Mar 18 20:19:48 [sshd] refused connect from
> postmaster@dns.cablecentro.net.co
> Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
> Mar 18 23:44:44 [sshd] refused connect from
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107
> Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66
>
> weird... maybe the bad guys are up to something new.
>
>


-- 
------------------------------------------------
For security reasons, all text in this mail is double-rot13 encrypted.

Re: [gentoo-user] Usernames in ssh attacks

[Paul Hartman]

On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
<johan.bluecreek@gmail.com> wrote:
> I've always had usernames when it comes to sshd's log entries in
> auth.log, like the following:
>
> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
> <username> from <ip-adress>

Well, I don't use PAM, just key-based authentication only, so I always
see only the IP getting rejected since it doesn't even give them a
place to try a user/password :) It's just weird that it is refusing a
connection from user@domain rather than simply the IP. I guess they
could be trying to ssh user@myhost.net or something.  The one with
[U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
interesting. I wonder what that's all about.

Re: [gentoo-user] Usernames in ssh attacks

[Michael Higgins]

On Thu, 19 Mar 2009 10:43:13 -0500
Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:

> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
> <johan.bluecreek@gmail.com> wrote:
> > I've always had usernames when it comes to sshd's log entries in
> > auth.log, like the following:
> >
> > <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
> > <username> from <ip-adress>
> 
> Well, I don't use PAM, just key-based authentication only, so I always
> see only the IP getting rejected since it doesn't even give them a
> place to try a user/password :) It's just weird that it is refusing a
> connection from user@domain rather than simply the IP. I guess they
> could be trying to ssh user@myhost.net or something.  The one with
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
> interesting. I wonder what that's all about.
> 

My $.02:

 perl -MMIME::Base64 -e 'print decode_base64("U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=")'
Salted__`�f\x19T�,BI~���!2
                       :'\x18���9

I'm not expert, so Google led me to OpenSSL's command-line "enc" utility:

echo "U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=" | openssl enc -d -base64 -a -idea
enter idea-cbc decryption password:

... or like that. Seems like an attempt to send user and password together. 

I suppose if you know what are possible user/pass combos on your system, and can suss the crypt type from the signature (I've no idea if possible), you can see if it's a real hack attempt.

It is interesting, I think... but I'm just guessing. ;-)

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

[gentoo-user] Re: Usernames in ssh attacks

[Nicolas Sebrecht]

On Thu, Mar 19, 2009 at 10:19:37AM -0500, Paul Hartman wrote:
> 
> In my ssh logs this morning I noticed a couple login attempts with
> usenames on them... I've never seen that before. It is usually just an
> IP address.
> 
> Mar 18 20:19:48 [sshd] refused connect from postmaster@dns.cablecentro.net.co
> Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
> Mar 18 23:44:44 [sshd] refused connect from
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107
> Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66
> 
> weird... maybe the bad guys are up to something new.

It could be a try to a format string vulnerability or just a bot doing
stupid and irrelevant things. I think you should ask to the guys on the
openssh project.

-- 
Nicolas Sebrecht

RE: [gentoo-user] Usernames in ssh attacks

[Adam Carter]

> In my ssh logs this morning I noticed a couple login attempts with
> usenames on them... I've never seen that before. It is usually just an
> IP address.
>
> Mar 18 20:19:48 [sshd] refused connect from
> postmaster@dns.cablecentro.net.co
> Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
> Mar 18 23:44:44 [sshd] refused connect from
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107
> Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66
>
> weird... maybe the bad guys are up to something new.

I'd say they've just made a mistake in their DNS config (or maybe used a wildcard record), and set the PTR record to be postmaster@dns.cablecentro.net.co instead of a hostname. I'm assuming the reason you usually see IP addresses is that there is no PTR record set for that IP....

Are you running Fail2ban or similar?

Rgs,
Adam

Re: [gentoo-user] Usernames in ssh attacks

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 1592 bytes --]

Paul Hartman wrote:
> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
> <johan.bluecreek@gmail.com> wrote:
>> I've always had usernames when it comes to sshd's log entries in
>> auth.log, like the following:
>>
>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
>> <username> from <ip-adress>
> 
> Well, I don't use PAM, just key-based authentication only, so I always
> see only the IP getting rejected since it doesn't even give them a
> place to try a user/password :) It's just weird that it is refusing a
> connection from user@domain rather than simply the IP. I guess they
> could be trying to ssh user@myhost.net or something.  The one with
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
> interesting. I wonder what that's all about.
> 

I too use only PubKey but they need to send a username so ssh knows
where to look for the public key.  Your two options boil down to

1) install fail2ban (I installed it on all of my external ssh boxes and
I love it)
2) change the ssh port to something other than 22 (Security by Obscurity
 but it frees up your logs so you can see real problems).

The two may me mutually exclusive as I'm not sure if you can tweak
fail2ban's ssh rules to monitor another port.

I just chock it up as log spam unless I see definite bad patterns.  But
again, with public key access only and banning root from logging in via
ssh I don't think anybody is getting far unless there is a flaw in ssh.

-- 
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA  B215 6A25 7174 A941 3B9F


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-user] Usernames in ssh attacks

[Paul Hartman]

On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin <freak4uxxx@gmail.com> wrote:
> Paul Hartman wrote:
>> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
>> <johan.bluecreek@gmail.com> wrote:
>>> I've always had usernames when it comes to sshd's log entries in
>>> auth.log, like the following:
>>>
>>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
>>> <username> from <ip-adress>
>>
>> Well, I don't use PAM, just key-based authentication only, so I always
>> see only the IP getting rejected since it doesn't even give them a
>> place to try a user/password :) It's just weird that it is refusing a
>> connection from user@domain rather than simply the IP. I guess they
>> could be trying to ssh user@myhost.net or something.  The one with
>> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
>> interesting. I wonder what that's all about.
>>
>
> I too use only PubKey but they need to send a username so ssh knows
> where to look for the public key.  Your two options boil down to
>
> 1) install fail2ban (I installed it on all of my external ssh boxes and
> I love it)
> 2) change the ssh port to something other than 22 (Security by Obscurity
>  but it frees up your logs so you can see real problems).
>
> The two may me mutually exclusive as I'm not sure if you can tweak
> fail2ban's ssh rules to monitor another port.
>
> I just chock it up as log spam unless I see definite bad patterns.  But
> again, with public key access only and banning root from logging in via
> ssh I don't think anybody is getting far unless there is a flaw in ssh.

Oh, I am not concerned about the attacks. I just thought it was weird
that I saw user@domain when I normally see only IP or only domain.
They are already refused connection as the log shows :)

Thanks,
Paul

Re: [gentoo-user] Usernames in ssh attacks

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 2174 bytes --]

Paul Hartman wrote:
> On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin <freak4uxxx@gmail.com> wrote:
>> Paul Hartman wrote:
>>> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
>>> <johan.bluecreek@gmail.com> wrote:
>>>> I've always had usernames when it comes to sshd's log entries in
>>>> auth.log, like the following:
>>>>
>>>> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
>>>> <username> from <ip-adress>
>>> Well, I don't use PAM, just key-based authentication only, so I always
>>> see only the IP getting rejected since it doesn't even give them a
>>> place to try a user/password :) It's just weird that it is refusing a
>>> connection from user@domain rather than simply the IP. I guess they
>>> could be trying to ssh user@myhost.net or something.  The one with
>>> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
>>> interesting. I wonder what that's all about.
>>>
>> I too use only PubKey but they need to send a username so ssh knows
>> where to look for the public key.  Your two options boil down to
>>
>> 1) install fail2ban (I installed it on all of my external ssh boxes and
>> I love it)
>> 2) change the ssh port to something other than 22 (Security by Obscurity
>>  but it frees up your logs so you can see real problems).
>>
>> The two may me mutually exclusive as I'm not sure if you can tweak
>> fail2ban's ssh rules to monitor another port.
>>
>> I just chock it up as log spam unless I see definite bad patterns.  But
>> again, with public key access only and banning root from logging in via
>> ssh I don't think anybody is getting far unless there is a flaw in ssh.
> 
> Oh, I am not concerned about the attacks. I just thought it was weird
> that I saw user@domain when I normally see only IP or only domain.
> They are already refused connection as the log shows :)
> 
> Thanks,
> Paul
> 

yeah, after I read your message I realized that I didn't quite answer
your question.  Somebody mentioned they probably configured the dns PTR
record incorrectly which is my guess.

-- 
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA  B215 6A25 7174 A941 3B9F


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]