you're not supposed to use the car in front of you as a braking aid

posted to this is not a weblog
on mar 1st, 2007

tagged nerd, openbsd
and never commented on

share this page

i forget sometimes that i have my sshd brute force patch installed on all of my servers. that is, until i install a new server that doesn't have the patch.

i put openbsd on a sun netra x1 today and within 2 hours it was already being brute forced. of course, none of the authentications worked and i'm not worried about my actual passwords being discovered, but because i log everything to a central server and monitor it in real-time, it's annoying to see servers scrolling pages of crap for a long time.

the scan came in and hit other servers on my network that all have patched sshd: 

Mar  1 16:00:01 moodswing sshd[813]: probed from 202.136.127.153 with SSH-2.0-libssh-0.1.  Don't panic.
Mar  1 16:00:01 orion sshd[24728]: probed from 202.136.127.153 with SSH-2.0-libssh-0.1.  Don't panic.
Mar  1 16:00:02 proxy sshd[15570]: probed from 202.136.127.153 with SSH-2.0-libssh-0.1.  Don't panic.

then it hit the new, unpatched server a second later: 

Mar  1 16:00:03 netra sshd[23979]: Failed password for root from 202.136.127.153 port 41030 ssh2
Mar  1 16:00:03 netra sshd[8674]: Received disconnect from 202.136.127.153: 11: Bye Bye
Mar  1 16:00:06 netra sshd[11530]: Invalid user fluffy from 202.136.127.153
Mar  1 16:00:06 netra sshd[5183]: input_userauth_request: invalid user fluffy
Mar  1 16:00:06 netra sshd[11530]: Failed password for invalid user fluffy from 202.136.127.153 port 42721 ssh2
Mar  1 16:00:06 netra sshd[5183]: Received disconnect from 202.136.127.153: 11: Bye Bye
Mar  1 16:00:08 netra sshd[30142]: Invalid user admin from 202.136.127.153
Mar  1 16:00:08 netra sshd[30577]: input_userauth_request: invalid user admin
Mar  1 16:00:08 netra sshd[30142]: Failed password for invalid user admin from 202.136.127.153 port 43739 ssh2
Mar  1 16:00:09 netra sshd[30577]: Received disconnect from 202.136.127.153: 11: Bye Bye
Mar  1 16:00:10 netra sshd[2002]: Invalid user test from 202.136.127.153
[...]

as soon as i noticed this starting, i realized that sshd wasn't patched and fetched the src/usr.bin/ssh/ tree from cvs, applied my patch, and compiled sshd. the netra is only 500mhz so it took a while to compile, but as soon as it finished and installed, the brute force script was rejected before authentication on its next attempt and it moved onto another ip off of my network. 

[... 400 lines of failed authentications ...]
Mar  1 16:07:13 netra sshd[5976]: Invalid user Zmeu from 202.136.127.153
Mar  1 16:07:13 netra sshd[6331]: input_userauth_request: invalid user Zmeu
Mar  1 16:07:13 netra sshd[5976]: Failed password for invalid user Zmeu from 202.136.127.153 port 27725 ssh2
Mar  1 16:07:13 netra sshd[6331]: Received disconnect from 202.136.127.153: 11: Bye Bye
Mar  1 16:07:16 netra sshd[10886]: Failed password for root from 202.136.127.153 port 28948 ssh2
Mar  1 16:07:16 netra sshd[3969]: Received disconnect from 202.136.127.153: 11: Bye Bye
Mar  1 16:07:17 netra sudo:      jcs : TTY=ttyp0 ; PWD=/usr/src/usr.bin/ssh/sshd ; USER=root ; COMMAND=/usr/bin/make install
Mar  1 16:07:19 netra sshd[22962]: probed from 202.136.127.153 with SSH-2.0-libssh-0.1.  Don't panic.

and all was quiet again.

leave the first comment or contact me

if you want to be able to mark your comment as authentic or delete it later, include your e-mail address (it won't be shown on the site). you'll be e-mailed instructions with a copy of your comment.

basic html allowed; be nice
required


optional, gravatar-ized


optional