Repeated attacks via SSH

[Brett Glass]

Everyone:

We're starting to see a rash of password guessing attacks via SSH 
on all of our exposed BSD servers which are running an SSH daemon. 
They're coming from multiple addresses, which makes us suspect that 
they're being carried out by a network of "bots" rather than a single attacker.

But wait... there's more. The interesting thing about these attacks 
is that the user IDs for which passwords are being guessed aren't 
coming from a completely fixed list. Besides guessing at the 
passwords for root, toor, news, admin, test, guest, webmaster, 
sshd, and mysql, the bots are also trying to get into our mail 
exchangers via user IDs which are the actual names of users for 
whom the machines receive mail. In one case, we saw an attempt to 
use the name of a user who hadn't been on for years but whose 
address was published ONCE (according to Google and AltaVista) on 
the Net. Since the attackers are not guessing at hundreds of 
invalid user names, the only conclusion we can draw is that when 
one of the bots attacks a mail server, it quickly tries to harvest 
e-mail addresses from the server's domain from the Net and then 
tries them, in the hope that those users (a) are enabled for SSH 
and (b) have weak passwords.

SSH is enabled by default in most BSD-ish operating systems, and 
this makes us a bigger target for these bots than users of OSes 
that don't come with SSH (not that they're not more vulnerable in 
other ways!). Therefore, it's strongly recommended that, where 
practical, everyone limit SSH logins to the minimum possible number 
of users via the "AllowUsers" directive. We also have a log monitor 
that watches the logs (/var/log/auth.log in particular) and 
blackholes hosts that seem to be trying to break in via SSH.

--Brett Glass