This was a draft post from over a year ago that I forgot about.
I include it now because it has some merit and I found the attack to be very interesting.
-------------------------------------------------------------------------------------------------------------
Something, somewhere went wrong with the machine that hosts justvisiting.org.
It wasn't so much the hardware, but the operating system that began to have problems.
The issue:
Running out of memory and then locking up.
This machine had been running smoothly for years and then started to have a few hiccups and fits.
I'm sure the machine was not compromised by a break-in, but nevertheless it was failing and falling over and not responding to console logins, or responding at all. I finally rolled up my sleeves and replaced it with a newer and more robust machine. Which, IMO, wasn't really needed, but I did want to get justvisiting back online as soon as possible. The Linux OS is installed and it is sitting and waiting for operator input to get the final bits adjusted. Then I'll be able to finally get it back online at its designated IP address.
SSH attacks:
First off, the ssh attacks are still pretty much the same as they have always been. Every day this machine was bombarded with SSH attacks, mostly from host machines in China. I can tell you that reverse name resolution and a simple traceroute shows exactly where these machines are located. It's not that hard to determine and I don't think the perpetrators were much concerned about hiding their real IP addresses. I could be wrong, but think not. Why China wants into my machine so bad, I could not tell you. But if I had to guess, I would say that it is the Chinese Cyber Army that comes knocking. A new to me attack scheme has caused some concern. That concern is that after an IP address was permanently banned after so many SSH login attempts, another attack would occur almost immediately, from another "machine" from the same subnet.
It goes like this (using 1.2.3.x subnet addressing):
- SSH login attack from 1.2.3.1
- IP address is banned after x amount of login attempts
- Then another SSH login attempt from 1.2.3.2, same subnet address, with the next IP address attempting a login
- IP address is banned after x amount of login attempts
- Then another SSH login attempt from 1.2.3.3 with the next IP address attempting a login.
- Then from 1.2.3.4, 1.2.3.5, 1.2.3.6, 1.2.3.7.
And so on. . .
Needless to say, this is a problem. Not only to me and my machine, but to everyone who hangs servers out there on the Internet.
How does an entire, or close to an entire subnet of IP addresses attempt to login to an SSH account with cascading IP addesses from the same subnet? It's probably not that difficult to script, provided you own the IP block you are attacking from. I'm investigating, but in the meantime your guess is as good as mine.
To be continued. . .
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment