Bogus "account hacked" message

Grant Taylor cctalk at gtaylor.tnetconsulting.net
Tue Jan 8 21:42:28 CST 2019 

On 1/8/19 7:56 PM, Jon Elson via cctalk wrote:
> Interesting observation I made a few years ago.  I run a web store, and 
> was being inundated with ssh login attempts. About 1000/day!  I decided 
> this was serious, they'd eventually get lucky.

It's really hard for them to get lucky if you don't allow password based 
authentication.  ;-)

It's also even harder for them to get lucky if you move your SSH daemon 
to an alternate port and / or put it behind port knocking / single 
packet authorization.  }:-)

> So, searching available software, I found denyhosts.  It checks the logs 
> for login failures, and after a set threshold, it puts the source IP 
> into the hosts.deny list, and your machine effectively disappears from 
> that source IP's view.

Yes and no.  DenyHosts is a useful tool.  But hosts.deny / hosts.allow 
is TCP Wrappers.  Your services needs to both support and be configured 
to use TCP Wrappers.  Not everything is compiled with support for, or 
configured to use, TCP Wrappers.

I personally prefer to add reject route and enable reverse path 
filtering.  That operates at a lower level and protects EVERYTHING on 
the system without requiring any feature, like TCP Wrappers.

> I set the rules very strictly, so that after 3 login failures over a 2 
> month span, that IP was blocked for a year.  Something very interesting 
> happened.

I think that your rule logic could just as easily be applied to reject 
routes.

> The number of attempts did not diminish immediately, as the botnets had 
> a large number of compromised machines.  But, suddenly, two weeks to the 
> EXACT HOUR when I set up denyhosts, the attacks dropped from 1000/day to 
> 3!  Just like flipping a switch!

Intriguing.

> So, these hackers have a dark net list somewhere where they trade IP 
> addresses of machines they would like to hack, and what they can figure 
> out about the security measures implemented on them.  When they have 
> demonstrated by coordinated attempts that your lockout horizon is over 
> two weeks, they put out the word that your site is not going to bear 
> any fruit.

Yep.  Black hats communicate with each other just like white hats do.

Of course, it could have been one bot-net & bot-herder too.  I've heard 
tell of bots that 300,000 bots.

> I currently have 9000-some blocked IPs in hosts.deny, I wonder how much 
> that slows down my store.

I doubt much at all.

(Assuming that your web server supports and is using TCP Wrappers.)

> Ugh, the stuff we are forced to go through.

Yep.  Oy Vey comes to mind.



-- 
Grant. . . .
unix || die

More information about the cctalk mailing list