linux emergency response (i): ssh brute force cracking

Posted by tzul at 2020-02-28

SSH is a reliable protocol which provides security for remote login session and other network services. It is mainly used to encrypt remote login session data and ensure the security of data transmission. SSH password length is too short or complexity is not enough, such as only containing numbers or letters, which is easy to be cracked by the attacker. Once obtained by the attacker, it can be used to directly log in the system and control all permissions of the server.

One day, when the webmaster logged in to the server for patrol inspection, he found two suspicious connection records in the port connection, as shown in the following figure:

TCP initializes the connection three times: send syn packet, return syn / ACK packet, send ACK packet, and the connection is officially established. But there is a bit of discrepancy here. When the requester receives the sys / ack package, he starts to establish a connection, and the connection is only established after the third handshake of the requester.

Client TCP state migration:


Server TCP state migration:


When the client starts to connect, the server is still in the listening state. After the client sends a syn packet, when the server receives the syn of the client and sends an ACK, the server is in the syn UU recv state. Then it does not receive the ack of the client again and enters the established state. It stays in the syn UU recv state.

Here, SSH (22) port, the syn ﹣ recv status connection of two external IP networks, intuitively tells the administrator that there must be something abnormal here.

SSH port is abnormal. First, we need to understand the system account:

A. System account

We can confirm that there is only one administrative user root in the system at present. Next, we think of / var / log / secure, which records the information about authentication and authorization. Any program involving account and password will be recorded.

B. Confirm the attack:

C. Recent login of administrator:

Through log analysis, it is found that the attacker used a large number of user names for brute force cracking, but from the recent login records of the system administrator, no abnormal login was found, so it is necessary to further investigate the intrusion of the website server, which will not be described here.

SSH brute force attack is still very common. How to protect the server from brute force attack is summarized

This article was originally published by bypass. Please keep the source for reprint. Welcome to my personal WeChat official account: Bypass--, for more excellent articles.


About Me

A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.