Sunday 6 October 2013

The attack burden

I have, it won't surprise you to know, a server out there on the Internet. And occasionally I do a little sweep to check its security and general health, because it is out there on the Internet, and the Internet is a pretty nasty place with lots of pretty nasty people.

Now, on my server there is only one valid login. That login requires a certificate - you cannot login with a password alone. Even once you have logged in, you cannot do anything significant in the account to which you have logged in, unless you also know the root password (although, of course, once you have logged in, brute-force guessing of the root password could be attempted). So I'm reasonably safe from attacks such as the Hail Mary Cloud.

But two things are interesting. The first is the sheer number of attempted logins. Last week I had 8322, or an average of 49 an hour, or not far shy of one a minute.

The top twenty usernames tried were as follows:

root@goldsmith:/var/log# grep 'Invalid user' auth.log* | awk '{print $8}' | sort | uniq -c | sort -rn | head -20
    185 oracle
    130 web
    123 test
     88 admin
     75 tester
     70 testing
     69 testuser
     62 test1
     56 ftpuser
     54 userftp
     51 test3
     51 test2
     50 test4
     48 test123
     40 user
     37 guest
     35 webmaster
     27 administrator
     25 info
     23 minecraft

One assumes (at least, this one does) that the account names most often tried are the names the attackers most often find give them useful access to interesting things. Which argues that Oracle installations tend to have significantly weak passwords. But notice that many systems appear to be vulnerable to logins on the 'web' user account. Surely, for any sakes, if you have such an account it ought not to be login enabled (and ought to have very minimal privilege anyway)? The fact that that's an attack target is worrying. That 'admin' and 'administrator' are attack targets isn't surprising - all sorts of systems, including many small appliances based on either Linux or *BSD, have 'admin' accounts with substantial privilege, and a lot of people coming from Windows backgrounds use 'administrator' as the name of a significant account.

'ftpuser' isn't so worrying. Yes, a lot of machines will have them, but they should be able to do little.

Which leaves the remarkable prevalence of variants on 'test'. In fact, if you look at all variants on test, there are almost 100 attempts a day:

root@goldsmith:/var/log# grep 'Invalid user' auth.log* | awk '{print $8}' | grep test | wc -l
681

So the next question is, how often was 'root' tried? After all, root is the account which you have to break in order to get total control of a UN*X machine. Five years ago, it would have been far and away the most common target. The answer now?

root@goldsmith:/var/log# grep 'Invalid user' auth.log* | awk '{print $8}' | sort | uniq -c | grep root
      1 anonftproot
      3 cvsroot
      1 ftproot
      1 nfsroot
      1 root001
      1 root01
      1 root02
      1 rootkloots
      1 sroot
      1 testroot
      1 vroot
      1 webroot
      1 wwwroot

Never. Not even once. Which is sort-of good news, and implies that people who keep UN*X machines out there in netland have learned the lesson of not allowing root login.

So, next question is, am I seeing distributed, Hail Mary Cloud style attacks? The answer is I'm not. Of my 8322 probes last week, 89% came from a single host:

root@goldsmith:/var/log# grep 'Invalid user' auth.log.1 | awk '{print $10}' | sort | uniq -c | sort -rn | head -10
   7445 190.52.65.170
    424 223.4.208.188
    259 218.108.85.245
     67 199.187.123.84
     47 46.165.220.24
     43 36.39.246.121
     12 
      7 59.124.124.9
      5 218.108.169.180
      4 112.78.3.234

So, where is that host?

root@goldsmith:/var/log# dig -x 190.52.65.170

; <<>> DiG 9.7.3 <<>> -x 190.52.65.170
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 34849="" font="" id:="" noerror="" opcode:="" query="" status:="">
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;170.65.52.190.in-addr.arpa. IN PTR

;; ANSWER SECTION:
170.65.52.190.in-addr.arpa. 43200 IN PTR static-host65N170.sls.espoltel.net.

and who's that?

root@engraver:/var/log# whois espoltel.net
Registrant:
ESPOLTEL S.A.
   ESPOL CAMPUS GUSTAVO GALINDO KM 30.5
   PERIMETRAL
   Guayaquil, Guayas 99999
   EC

   Domain Name: ESPOLTEL.NET

So my very prolific attacker is a machine hosted by (but not necessarily operated by) a small ISP in Ecuador. The machine hosts the website of the local water company. It is almost certainly a machine which has itself been successfully attacked and compromised. But there's nothing specifically Ecuadorian about the attack; my second most prolific attacker is in Hong Kong.

The point of this post is that if you host a server on the Internet, or any other device attached to the Internet, it is being attacked, all the time. Most of those attacks are fairly simple-minded. There have been no attacks I'm not familiar with, and no attacks which I think have any chance to succeed.

But the morals of this story is, first, if you have an internet-facing device which is secured only by password, don't. It will be compromised sooner rather than later. Client certificates are very much more secure. And second, keep wary. Sooner or later, a new and more effective attack will come along.

No comments:

Creative Commons Licence
The fool on the hill by Simon Brooke is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License