Massive ssh annoyance

My logfiles are totally full of logged connection-attempts to my servers. It looks like people are trying to exploit the ssh-vulnerability which became known some days ago (“openssh denial of service CVE-2006-4924“).

The logfiles are full of messages like:

Jul 26 08:03:29 wormhole sshd[14229]: Bad protocol version identification ‘\243\361^G\216\325\325\320\370k\301\3044\33134\374\350\274K21’ from 71.202.54.119
Jul 26 08:03:35 wormhole sshd[14252]: Bad protocol version identification ‘\315yh$30\205\271\214\204\346k!’ from 67.68.199.28
Jul 26 08:04:34 wormhole sshd[15445]: Bad protocol version identification ’23BitTorrent protocol’ from 87.89.44.247

I’m only guessing that this is an exploit to the vulnerabilities of SSH protocol version 1. However, this attacks are really massive, massive like:

# grep “Bad protocol” auth.log | wc -l
24404
# grep “Bad protocol.* from ” auth.log | awk ‘{print $NF}’ | sort | uniq | wc -l
4342

I got SSH protocol version 1 disabled by default, so this ain’t no real threat to me, but the scale of this attacks causes a DOS on my servers; the sshd is that busy that I, as a legetimate user, fail to log in any now and then:

$ ssh wormhole.ynfonatic.de
ssh_exchange_identification: Connection closed by remote host

And that’s exactly the point where i get angry. However, this attack is distributed over the whole internet so i can’t filter on specific IP-addresses. *sigh*

Tech Tags:

3 Responses to Massive ssh annoyance

  1. James, thanks for the hint, but unfortunately that doesn’t help; every host seems only to attack once, that would only leed to a massive shitlist on my INPUT-chain’s side.
    The real problem lies in openssh directly: Instead of droping the connection immediately after recognizing a bad protocol string, the connection seems to stay in status “accepted”:
    # ps -ef | grep accepted
    root 16339 5367 0 21:12 ? 00:00:00 sshd: [accepted]
    root 16368 5367 0 21:12 ? 00:00:00 sshd: [accepted]

    That’s the real problem. Those “accepted” session need to get droped very soon. However, i found that the variable LoginGraceTime in my sshd_config was set to 600 seconds – i guess that is or was the Debian Sarge default-value. I set it to 60 seconds, now the situation improved dramatically.
    However, if the attackers intensify their attack, I’ll be lost again.
    Thanks for the hint anyway! I appreciate all hints.
    Alex.

  2. Peter G. says:

    Just try the iptables module hashlimit, it works perfect for my hosts:

    $iptables -A INPUT -i eth0 -p tcp -d $ip_eth0 –dport 22 \
    -m hashlimit –hashlimit 1/hour –hashlimit-mode srcip \
    –hashlimit-name ssh –hashlimit-burst 2 \
    -m state –state NEW -j ACCEPT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: