Linux News Today features the latest news from the global Linux community. This site is updated daily. Click here to return to our homepage. Get the lowest cost and the best tech support on any Linux web hosting plan. Click here for details.
                                          home   |   news archives   |   linux forum   |   advertise on our site   |   contact


Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.


Get the best Linux or Windows hosting service. Click here to learn more.

Sponsored by
Sun Hosting

Sponsored by
Montreal Server Colocation

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Brute-force attacks against Linux servers rising

Add to del.icio.us     Digg this story Digg this

May 16, 2008

According to the SANS Internet Storm Center, in the last few weeks, brute-force attacks against Linux SSH servers have increased sharply, especially since May 10.

Most experts agree that Linux servers are more secure against the viruses and trojans that can severely infect a Windows system, but running Linux still provides little or no protection against the type of brute force assaults that were analyzed by SANS in the past week alone.

The Internet Storm Center experimented by setting up three 'Linux honeypots' in three separate locations, with one server located on a college campus, one in a small business and one at a residence on a DSL Internet connection. A 'honeypot' is a term used by Internet security experts that describe a server that was especially setup to 'trap' potential attackers and analyze their actions.

Honeypots can be setup on Linux servers as well as those running on Windows. The sudden jump in SSH attacks merits a re-examination of how Linux servers should be properly secured.

Jim Owens and Jeanna Matthews of the Department of Computer Science at Clarkson University have published a paper on the various methods that such attacks frequently employ and on the best ways to defeat them.

Overall data from the three Linux servers used in these tests suggests that brute-force attackers often attempt to validate using "root." Attacks with this username accounted for over 25.6 percent of the total login attempts observed.

The password chosen often matched the login, or was a simple derivative of the login. When put side by side, the list of attempted passwords for each of the three honeypots shows a surprising amount of correlation.

On average, 12 of the top 20 password attempts were shared between all three servers, while a further 5 were shared between 2 servers.

The very high prevalence of shared passwords led the two computer scientists to conclude that the attacks were launched using a common set of at least 5 attack dictionaries. Some of these dictionaries include strong passwords, and the authors recommend actively considering the listings of popular attack dictionaries when selecting passwords.

If you or your company own and manage a Linux SSH server that you want to secure from potential brute-force attacks, Owens and Matthews recommend taking several steps. First, all passwords should be strong, usernames should be non-obvious, and SSH logins for the root account should be completely disabled.

Owens and Matthews also recommend running the SSH server on a non-standard high port, though they recognize that this could be called a security through obscurity method, and they advocate the use of software capable of parsing log files and noting multiple failed login attempts.

Taken in aggregate, such safety measures should usually be sufficient to protect a Linux server, even if the number of attacks continues to rise in the coming weeks.

In just the past year alone, brute force attacks on Web servers have evolved considerably, and the trend seems to be accelerating. The very words "brute force" may conjure an image of a dangerous barbarian hacking away with an axe, but modern Internet assaults more closely resemble the careful actions of a thief attempting to avoid detection while picking a door lock.

Recent evidence suggests that some would-be hackers are now attacking via botnets, as they launch just a handful of login attacks per IP address in order to avoid triggering intrusion-detection software. This new attack variant is referred to as a slow-motion brute-force attack, and researchers expect to see more of them as hackers refine the process.

Source: The SANS Internet Storm Center.

Add to del.icio.us     Digg this story Digg this

Article featured on Tech Blog and on Business 5.0

This article was featured on Tech Blog and Business 5.0.






ADVERTISERS:
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.

                      Site powered by Linux Hosting            Sponsored by Sure Mail™ and by Domain Appraisers            Linux news while they are still fresh.    © Linux News Today.org