Now, on my server there is only one valid login. That login requires a certificate - you cannot login with a password alone. Even once you have logged in, you cannot do anything significant in the account to which you have logged in, unless you also know the root password (although, of course, once you have logged in, brute-force guessing of the root password could be attempted). So I'm reasonably safe from attacks such as the Hail Mary Cloud.
But two things are interesting. The first is the sheer number of attempted logins. Last week I had 8322, or an average of 49 an hour, or not far shy of one a minute.
The top twenty usernames tried were as follows:
root@goldsmith:/var/log# grep 'Invalid user' auth.log* | awk '{print $8}' | sort | uniq -c | sort -rn | head -20
185 oracle
130 web
123 test
88 admin
75 tester
70 testing
69 testuser
62 test1
56 ftpuser
54 userftp
51 test3
51 test2
50 test4
48 test123
40 user
37 guest
35 webmaster
27 administrator
25 info
23 minecraft
One assumes (at least, this one does) that the account names most often tried are the names the attackers most often find give them useful access to interesting things. Which argues that Oracle installations tend to have significantly weak passwords. But notice that many systems appear to be vulnerable to logins on the 'web' user account. Surely, for any sakes, if you have such an account it ought not to be login enabled (and ought to have very minimal privilege anyway)? The fact that that's an attack target is worrying. That 'admin' and 'administrator' are attack targets isn't surprising - all sorts of systems, including many small appliances based on either Linux or *BSD, have 'admin' accounts with substantial privilege, and a lot of people coming from Windows backgrounds use 'administrator' as the name of a significant account.
'ftpuser' isn't so worrying. Yes, a lot of machines will have them, but they should be able to do little.
Which leaves the remarkable prevalence of variants on 'test'. In fact, if you look at all variants on test, there are almost 100 attempts a day:
root@goldsmith:/var/log# grep 'Invalid user' auth.log* | awk '{print $8}' | grep test | wc -l
681
So the next question is, how often was 'root' tried? After all, root is the account which you have to break in order to get total control of a UN*X machine. Five years ago, it would have been far and away the most common target. The answer now?
root@goldsmith:/var/log# grep 'Invalid user' auth.log* | awk '{print $8}' | sort | uniq -c | grep root
1 anonftproot
3 cvsroot
1 ftproot
1 nfsroot
1 root001
1 root01
1 root02
1 rootkloots
1 sroot
1 testroot
1 vroot
1 webroot
1 wwwroot
Never. Not even once. Which is sort-of good news, and implies that people who keep UN*X machines out there in netland have learned the lesson of not allowing root login.
So, next question is, am I seeing distributed, Hail Mary Cloud style attacks? The answer is I'm not. Of my 8322 probes last week, 89% came from a single host:
root@goldsmith:/var/log# grep 'Invalid user' auth.log.1 | awk '{print $10}' | sort | uniq -c | sort -rn | head -10
7445 190.52.65.170
424 223.4.208.188
259 218.108.85.245
67 199.187.123.84
47 46.165.220.24
43 36.39.246.121
12
7 59.124.124.9
5 218.108.169.180
4 112.78.3.234
So, where is that host?
root@goldsmith:/var/log# dig -x 190.52.65.170
; <<>> DiG 9.7.3 <<>> -x 190.52.65.170
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 34849="" font="" id:="" noerror="" opcode:="" query="" status:="">->
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;170.65.52.190.in-addr.arpa. IN PTR
;; ANSWER SECTION:
170.65.52.190.in-addr.arpa. 43200 IN PTR static-host65N170.sls.espoltel.net.
and who's that?
root@engraver:/var/log# whois espoltel.net
Registrant:
ESPOLTEL S.A.
ESPOL CAMPUS GUSTAVO GALINDO KM 30.5
PERIMETRAL
Guayaquil, Guayas 99999
EC
Domain Name: ESPOLTEL.NET
So my very prolific attacker is a machine hosted by (but not necessarily operated by) a small ISP in Ecuador. The machine hosts the website of the local water company. It is almost certainly a machine which has itself been successfully attacked and compromised. But there's nothing specifically Ecuadorian about the attack; my second most prolific attacker is in Hong Kong.
The point of this post is that if you host a server on the Internet, or any other device attached to the Internet, it is being attacked, all the time. Most of those attacks are fairly simple-minded. There have been no attacks I'm not familiar with, and no attacks which I think have any chance to succeed.
But the morals of this story is, first, if you have an internet-facing device which is secured only by password, don't. It will be compromised sooner rather than later. Client certificates are very much more secure. And second, keep wary. Sooner or later, a new and more effective attack will come along.
No comments:
Post a Comment