Page 35 - index
P. 35
Easily guessable passwords like “admin12345”, “posadmin” and “qwerty”, are also used far too
often, and make an attacker’s job a lot easier. For example, in a Linux server machine you can
find the names used in failed SSH login attempts by running this command:
grep input_userauth_request /var/log/auth.log
input_userauth_request: invalid user admin [preauth]
input_userauth_request: invalid user blank [preauth]
input_userauth_request: invalid user guest [preauth]
input_userauth_request: invalid user iclock [preauth]
input_userauth_request: invalid user ftpuser [preauth]
input_userauth_request: invalid user support [preauth]
input_userauth_request: invalid user operator [preauth]
input_userauth_request: invalid user ubnt [preauth]
input_userauth_request: invalid user default [preauth]
Additionally, you can get information on connections not related to login attempts, such as port
scanning:
grep "identification string" /var/log/auth.log
Did not receive identification string from IP1
Did not receive identification string from IP2
Did not receive identification string from IP3
Did not receive identification string from IP4
There are a handful of tools available designed to leverage log entries to deny access by
dynamically changing firewall rules based on suspicious activity. A good example is Fail2ban (a
Unix-based tool), which checks for practically any service that writes information about failed
login attempts to a log file.
Bolting the Doors to Prevent Brute-Force Attacks
Over the years, a fairly common technique called Port Knocking has been implemented to
protect against brute force attacks by disabling port scanning in the server machine. Port
Knocking consists of closing all the ports of the server using firewall configurations while
opening some ports based on a specific series of connections attempts (“knocks”) sent by the
user—think of it as opening the door only after the third knock.
There had been some discussions in the industry about whether or not this technique falls into
the category of “security through obscurity”. Despite the different opinions on this, the reality is
that Port Knocking is another authentication mechanism with some important drawbacks:
• Single password authentication mechanism: all the users will be using the same
password to open the ports and even though passwords can be changed, there is no
easy way for the users to do so.
35 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide