Massive ssh annoyance

My logfiles are totally full of logged connection-attempts to my servers. It looks like people are trying to exploit the ssh-vulnerability which became known some days ago (“openssh denial of service CVE-2006-4924“).

The logfiles are full of messages like:

Jul 26 08:03:29 wormhole sshd[14229]: Bad protocol version identification ‘\243\361^G\216\325\325\320\370k\301\3044\33134\374\350\274K21′ from 71.202.54.119
Jul 26 08:03:35 wormhole sshd[14252]: Bad protocol version identification ‘\315yh$30\205\271\214\204\346k!’ from 67.68.199.28
Jul 26 08:04:34 wormhole sshd[15445]: Bad protocol version identification ‘23BitTorrent protocol’ from 87.89.44.247

I’m only guessing that this is an exploit to the vulnerabilities of SSH protocol version 1. However, this attacks are really massive, massive like:

# grep “Bad protocol” auth.log | wc -l
24404
# grep “Bad protocol.* from ” auth.log | awk ‘{print $NF}’ | sort | uniq | wc -l
4342

I got SSH protocol version 1 disabled by default, so this ain’t no real threat to me, but the scale of this attacks causes a DOS on my servers; the sshd is that busy that I, as a legetimate user, fail to log in any now and then:

$ ssh wormhole.ynfonatic.de
ssh_exchange_identification: Connection closed by remote host

And that’s exactly the point where i get angry. However, this attack is distributed over the whole internet so i can’t filter on specific IP-addresses. *sigh*

Tech Tags:

This entry was posted on Monday, October 2nd, 2006 at 4:53 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Massive ssh annoyance”

  1. James Says:
    October 2, 2006 at 8:28 pm | Reply

    Have you got sshdfilter installed? http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html

  2. Alexander W. Janssen Says:
    October 2, 2006 at 9:11 pm | Reply

    James, thanks for the hint, but unfortunately that doesn’t help; every host seems only to attack once, that would only leed to a massive shitlist on my INPUT-chain’s side.
    The real problem lies in openssh directly: Instead of droping the connection immediately after recognizing a bad protocol string, the connection seems to stay in status “accepted”:
    # ps -ef | grep accepted
    root 16339 5367 0 21:12 ? 00:00:00 sshd: [accepted]
    root 16368 5367 0 21:12 ? 00:00:00 sshd: [accepted]

    That’s the real problem. Those “accepted” session need to get droped very soon. However, i found that the variable LoginGraceTime in my sshd_config was set to 600 seconds – i guess that is or was the Debian Sarge default-value. I set it to 60 seconds, now the situation improved dramatically.
    However, if the attackers intensify their attack, I’ll be lost again.
    Thanks for the hint anyway! I appreciate all hints.
    Alex.

  3. Peter G. Says:
    July 1, 2007 at 1:51 pm | Reply

    Just try the iptables module hashlimit, it works perfect for my hosts:

    $iptables -A INPUT -i eth0 -p tcp -d $ip_eth0 –dport 22 \
    -m hashlimit –hashlimit 1/hour –hashlimit-mode srcip \
    –hashlimit-name ssh –hashlimit-burst 2 \
    -m state –state NEW -j ACCEPT

Leave a Reply