0 x00 preface
SSH is a reliable protocol that provides security for remote login sessions and other network services. It encrypts remote login session data to ensure data transmission security. An SSH password that is short in length or complex enough, for example, contains only numbers or letters, is vulnerable to attackers. Once obtained, an attacker can directly log in to the system and control all permissions of the server.
0x01 Emergency Scenario
One day, when the website administrator logs in to the server for inspection, two suspicious connection records are found in the port connection, as shown in the following figure:
- TCP sends a SYN packet, returns a SYN/ACK packet, and then sends an ACK packet to establish a connection. There is a slight discrepancy, however, in that the connection is established when the requester receives the SYS/ACK packet, and not until the third handshake is completed.
- TCP status migration for the client: CLOSED->SYN_SENT->ESTABLISHED->FIN_WAIT_1->FIN_WAIT_2->TIME_WAIT-> TCP status migration for the client: CLOSED->LISTEN->SYN recv->ESTABLISHED->CLOSE_WAIT->LAST_ACK->CLOSED
- When the client starts to connect, the server is still in LISTENING state. After the client sends a SYN packet, the server receives the SYN from the client and sends an ACK. The server is in the SYN_RECV state, but does not receive the ACK again from the client and enters the ESTABLISHED state. It stays in the SYN_RECV state. In this case, the SSH (22) port, the SYN_RECV state connection between two external IP addresses, tells the administrator intuitively that there must be something wrong.
0x02 Analyzing Logs
If the SSH port is abnormal, it is necessary to learn about the system account:
A. System accounts
[root@localhost ~]# awk -f: '$3 = = 0} {print $1'/etc/passwd root 2, can remote login account information/root @ localhost ~ # awk '/ | \ \ $1 $6 / {print $1}'/etc/shadow root:$6$38cKfZDjsTiUe58V$FP.UHWMObqeUQS1Z2KRj/4EEcOPi.6d1XmKHgK3j3GY9EGvwwBei7nUbbqJC./qK12HN8jFuXOfEYIKLID6hq0::0:99999 7: : : :Copy the code
We can confirm that the system currently has only one administrative user, root.
Next, we think of /var/log/secure, a log file that records authentication and authorization information for any program that involves an account and password.
B. Confirm the attack:
1. After counting the logs, it was found that there were about 126,254 login failures. Confirm the server by brute force/root @ localhost ~ # grep -o "Failed password"/var/log/secure | uniq -c 126254 Failed password 2. Output the first and last line of blasting to confirm the blasting time range: [root@localhost ~]# grep "Failed password" /var/log/secure|head -1 Jul 8 20:14:59 localhost sshd[14323]: Failed password for invalid user qwe from 111.13.xxx.xxx port 1503 ssh2 [root@localhost ~]# grep "Failed password" /var/log/secure|tail -1 Jul 10 12:37:21 localhost sshd[2654]: Failed password for root from 111.13.xxx. XXX port 13068 ssh2 3. [root@localhost ~]# grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) "| | uniq - c sort - nr 12622 23.91, XXX, XXX, 8942 114.104. XXX. XXX 8122 111.13. XXX. XXX 7525 123.59. XXX, XXX . 4. What are the blasting user name dictionaries? [root@localhost ~]# grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n"; }'|uniq -c|sort -nr 9402 root 3265 invalid user oracle 1245 invalid user admin 1025 invalid user user .Copy the code
C. Recent login of the administrator:
1. Successful login date, user name, and IP address: [root@localhost ~]# grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' Jul 9 09:38:09 root 192.168.143.100 Jul 9 14:55:51 root 192.168.143.100 Jul 10 08:54:26 root 192.168.143.100 Jul 10 16:25:59 root 192.168.143.100... The login log analysis shows that no abnormal login time and IP address are found. 2, by the way, what are the successful LOGIN IP statistics: [root@localhost ~]# grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more 27 192.168.204.1Copy the code
Through log analysis, it was found that the attacker used a large number of user names for brute force cracking, but from the recent login records of the system administrator, no abnormal login was found, so it is necessary to further investigate the invasion of the website server, which will not be elaborated here.
0x04 Handling Measure
SSH brute force cracking is still very common. How to protect the server from brute force cracking attacks is summarized as follows:
1. Do not open the management port to the public network. If the management IP address must be limited and the password security audit must be strengthened. 2. Change the default SSH port of the server. 3. Deploy intrusion detection equipment to enhance security protection.Copy the code
Cicada sister today to share here first, tomorrow for everyone to share “chapter 2: capture short connection”