
3 months and 1M SSH attempts later - WillieStevenson
https://livesshattack.net/blog/2016-03-20/3-months-and-1-million-ssh-attempts-later
======
Godel_unicode
> "Hahahahahaha, a successful login"

Congratulations, you just violated the computer fraud and abuse act. Also,
bravo for laying out for every reader of this post where they can find the
vulnerable router and the credentials they can use to join you in breaking the
law.

This is the exact opposite of responsible disclosure; people like the author
are why we will never get a less draconian cfaa. Thanks for that.

~~~
xupybd
>Congratulations, you just violated the computer fraud and abuse act. How can
that be illegal?

Granted publishing it should be, but simply testing if someone has left the
default password?

~~~
ambiate
CFAA is very broad. "intentionally accesses a computer without authorization
or exceeds authorized access, and thereby obtains— C) information from any
protected computer;"

A court could see "ambiate was authorized to use the work printer for printing
-- ambiate hacked the printer to find out the fax machine number and sent a
fax" in an absurd world.

This random internet person was never authorized to access this public router.
Even if its set to a default username/password. That's the broadness the CFAA.

Just because you set your password to 'password99', doesn't mean you get more
protections than the person who leaves their Cisco router set to 'cisco'.

~~~
xupybd
Thanks for the info. Interesting, I can see the merit in having broad legal
protection to stop people from malicious activity. But that does seem a little
too broad.

------
pdkl95
> He's still going at it 100,000 ssh attempts later.

I got hit with >100,000 on my main desktop a few years ago when I was
procrastinating fixing my heavy-handed fail2ban config. I noticed what was
happening first from the _lag_ it was causing. It turns out >10 SSH password
attempts/second can eat up a significant portion of my 3GHz "Yorkfield"[1]
CPU. It wasn't hard to discover the problem: the logfile was rapidly filling
with failed SSH password attempts. This is particularly useless as I have used

    
    
        PasswordAuthentication no
    

for many years. There is no chance that the script was going to gain access,
but the system load from the rejections was terrible. So yes, I fixed fail2ban
and added a few more "instant-ban" rules against anybody that tries password
authentication, but the real fix that was moving sshd to a random port.
Invalid SSH connection attempts dropped to approximately zero immediately.
It's trivial to find with a port scan, but in practice almost nobody has even
bothered.

It's probably like the old joke where two hiker see a grizzly bear and one
stops to re-tie his shoes. "You can't outrun a grizzly!" "I only have to
outrun _you_."

[1] Q9650 (E0); it still works great, even if it's starting to show its age

~~~
tlrobinson
Out of curiosity, why is your desktop exposed directly to the internet (no
NAT/firewall) at all?

~~~
pdkl95
NAT doesn't provide security, and a ssh server isn't useful if you filter that
port at the firewall.

~~~
julie1
Masquerading private address with you GW public address and limit connection
to outhoing one when ingress filtering is correctly done on your firewall/ISP
side is quite efficient.

Using private address is just a convenient way to set up easy invariant
templates for FW rules. No more, no less.

If you add the fact that ISP used to not route RFC 1918, it used to work quite
efficiently.

~~~
pdkl95
That "convenient way" has been incredibly damaging to the internet. The
primary benefit of the internet was that every peer can publish without
needing permission of a 3rd party. IP Masquerading / NAT removes that ability,
and has cause a massive amount of centralization. These gatekeepers are
necessary to workaround the limitations of every host having to share a _party
line_. Regular use of RFC 1918 for most hosts has prevented the development of
real network software.

If you want the internet to continue to degrade into something closer to cable
TV, then continue requiring central gatekeepers. If, instead, you care about
the future of the internet, then _please_ use globally routable addresses
instead of the _imprimatur_ we call NAT.

~~~
julie1
one of the benefit of NATing that it is mentally easier to recongize inbound
and outbound traffic in firewall rules.

It has been used as a way to centralize traffic by some rogue ISP, and then
because Large Scale Nating involve to hold in memory a lot of state considered
bad practices because it was costing money to ISPs. (plus FW redondancy/HA in
NAT require to synchronize states with CARP or CISCO techs).

But NATing behind the POP of the customer behind a public IP with the
classical 3 ways filtering (corporate net, DMZ, internet) still enables
templates to be easily shared and understood.

It is not NAT that sux. It is incompetent sysadmins the problem.

~~~
pdkl95
> NATing that it is mentally easier

"Because it's easier" is a terrible reason to break the internet and limit the
development of networking software such that proper direct-connections (in
either peer-or-peer _or_ client-server style) are useless and a centralized
3rd party is required to negotiate the connection and/or manage the NAT hole-
punching.

You're talking about convenience for a specific set of tools, when the problem
is about _freedom_ to publish without middlemen.

> a way to centralize traffic by some rogue ISP

ISPs have little[1] to do with this. I'm not talking about centralization by
the ISPs; I'm talking about how network software such as VOIP _should_ be
making direct connections once the address is known, which is impossible due
to NAT. Instead, we have Skype with Microsoft in a _de facto_ position of
control over a lot of the "voice chat" ecosystem.

> enables templates to be easily shared and understood

I'm sure the file-format for those templates can be extended to support a
placeholder/variable/macro for local addresses.

> NATing behind the POP of the customer

That's my entire point. This is how the internet was turned into a "two tier"
system, where some hosts can use listen(2)/accept(2) usefully, but everyone
else has to ask permission of the incumbent feudal lord for permission if they
want to accept a connection.

You seem to prefer trading that ability for an internet that resembles the
"cable tv" model instead of a network of equal peers (in the protocol). I hope
having convenient firewall templates was worth it.

[1] other than dragging their feet on IPv6 for the last ~15 years, which
removes the need for any type fo NAT

------
ambiate
Its interesting how many HN users seem to be missing the point of a honeypot.
He set this up deliberately to understand the frequency/types of attacks on a
random machine on the internet.

From my past experience, most of those CN computers are actually US zero
day'd/patched running root kits/worms. It just happens to be that CN computers
are more likely to be unpatched/running ancient software.

~~~
noobermin
>From my past experience

I'm curious how you know this for sure.

~~~
ambiate
I plead the fifth. CFAA/RICO/Patriot Act.

My hint would be: before decentralized worms, there were IRC hubs. The
'owners' would typically use their native language for the various commands (I
know English is used in more than the US, but..). Most of the time, they
wouldn't even hide their host name on the IRC server.

I guess from a 'being legal' POV: anyone could infect themselves with the same
root kit that's on a honeypot and find out quite a bit about the organizers.

~~~
Godel_unicode
Or just read any botnet takedown report, this is exactly what botnets do. Why
bother looking for 0day when root:toor or cisco:cisco works?

------
cddotdotslash
Just FYI, I wouldn't log into any systems using credentials you find through
this. A lot of people are obviously using credentials stolen from previous
dumps, so there might be valid ones in there. Logging into a public facing
router using stolen credentials is definitely a crime.

~~~
WillieStevenson
Just like it's a crime trying to ssh into a box that is not yours right? And
besides I didn't do anything to the router. I was simply pointing out that you
should change your default credentials and hide your router.

... should be a crime to not change the default credentials.

~~~
simoncion
Did you attempt to notify that poor schmuck who stood up that AirRouter with
the default username and password?

~~~
WillieStevenson
Damn it. I should of. I don't know how I would do that now though. He probably
got pwned of the internet by now. lol.

~~~
abrookewood
Dude, it's not funny. You're coming across like a script kiddie and it's not
welcome here. You've just posted the credentials to someone's site that has
probably been compromised and you're treating it like a joke. Go back and
redact the IP addresses of those sites & devices before you get yourself into
trouble.

~~~
WillieStevenson
Look. Malicious boxes are attacking me. Although I must be politically correct
in this situation to probably please everyone, while I probably shouldn't have
logged into the router in question, I would prefer to publish such IPs because
they have the potential to harm other machines.

Actually that particular IP attacked me more than 170 times. It may be useful
to others to keep this address on their "naughty" list of hosts to ban.

~~~
viraptor
I don't think there's a need to publish those addresses. There are already
lists with those IPs available
([https://www.openbl.org/](https://www.openbl.org/)). Telling people that the
IP had default password on the router will only cause the problem to the owner
who may not even be aware of the attack. Proxies / worms for ssh scanning are
very common, so maybe you just helped people break some Joe Random's home
network.

~~~
simoncion
> I don't think there's a need to publish those addresses. There are already
> lists with those IPs available...

Interestingly, the IP address of that router is _not_ present in either the
base (attacks within the past 360 days) list or the delisted (manually removed
from the base list by the person in question) list.

It's almost like no single list is terribly likely to be complete, and that
publishing collation of a master list is required for completeness. :)

------
ChuckMcM
Just for fun I ran an SSH server on a RasPi to basically allow any login and
to simulate a Linux shell. And then captured the various things that people
tried. If you're wondering what the "standard set" of script kiddy tricks are,
I highly recommend it.

~~~
ambiate
15 years ago, that standard set used to be wget something from
packetstormsecurity.org. If no wget: curl it. If no curl: just lynx it. else:
move on to the next vulnerable server. Script kiddies were quite lazy back
then. I feel old at thirty.

~~~
x0
Hasn't changed for the most part. Though it's either exploit db, some creepy
looking .pw site you've never heard of, and once or twice, the zips that
github provides. And sometimes they'll just scp their stuff onto the box.

------
tdicola
If you haven't already, get fail2ban setup on the box to slow down all the
attacks. And disable password login and switch to certs instead.

~~~
sneak
SSH key based auth does not use certificates.

In the case of key-based-auth only, fail2ban is pointless.

~~~
muppetman
I disagree. I run it because I drop all traffic from the /24 the scan comes
from. Harsh, yes, but tough luck. It cuts down on unwanted network traffic.

~~~
sneak
That's a pretty significant denial of service you open yourself up to. If
someone shows up bruteforcing you from randomly allocated AWS or Digital Ocean
cloud instance public IPs that happen to land in the same /24 as other AWS- or
DO-hosted services (Heroku comes to mind, but also any other monitoring, log
aggregation, analytics, data processing, et c) your machine depends on,
they've convinced your system to cut connectivity to them. Not the best
setup...

------
est
I changed my SSH login banner text to

> Permission denied, please try again.

To confuse people. No matter failed or successful login, the prompt text will
always be like that.

~~~
Godel_unicode
You deny them permission, then grant them permission to try again?

~~~
est
No matter failed or successful login, the prompt text will always be

> Permission denied, please try again

------
obisw4n
I think more cloud providers should do something like what Google Compute
Cloud does, they have SSHGuard on their images by default so IPs get blocked
after too many failed attempts.

------
yeukhon
Showing off stuff like this is considered stupid, childish and idiotic. Based
on the cache version of his publication, I am extremely tempted to report this
to the proper authority. Not only you should stop publishing this kind of
information, you should stop your project.

~~~
simoncion
> Showing off stuff like this is considered stupid, childish and idiotic. ...
> Not only you should stop publishing this kind of information, you should
> stop your project.

I strongly disagree with both sentences.

------
logotype
Change the SSH port...

~~~
achillean
Please don't rely on that alone: [https://blog.shodan.io/hiding-in-plain-
sight/](https://blog.shodan.io/hiding-in-plain-sight/)

~~~
voltagex_
strangely, searching Shodan for product:ssh port:443 finds nothing - when I
know there are boxes around running sslh or similar to run both SSH and HTTPS
on the same port. Seems like you can hide in plain sight when the scanner has
no idea you're there.

~~~
achillean
[https://www.shodan.io/search?query=port%3A80+openssh](https://www.shodan.io/search?query=port%3A80+openssh)

It's really just a matter of time. There are many things you can do to protect
yourself and changing the port is one of them, but if you rely on it you're
going to have a bad time.

