# new SSH botnet



## jb_fvwm2 (Feb 11, 2022)

arstechnica.com article on worldwide ssh botnet, over 1500 machines hacked.


----------



## sko (Feb 11, 2022)

> FritzFrog spreads by scanning the Internet for SSH servers, and when it finds one, it attempts to log in using a list of credentials.



and again, everybody: don't  use  password  based  logins  for  ssh


----------



## drhowarddrfine (Feb 11, 2022)

> “These points of evidence, while not damning, lead us to believe a possible link exists to an actor operating in China or an actor masquerading as Chinese,” Akamai researchers wrote.



Better idea. Quit doing business with China.


----------



## sko (Feb 11, 2022)

drhowarddrfine said:


> Better idea. Quit doing business with China.


Yes, this will definitely stop botnets from attacking your servers.


----------



## drhowarddrfine (Feb 11, 2022)

sko It just seems that too many bad things like this come out of China. Yes, elsewhere, too, but too much from a supposedly developed country that wants to play with the rest of the world. And here we are buying goods from them and letting them manufacture our stuff and let them insert malware into routers and everything else.

The way you teach such places a lesson is you don't play with them anymore.

And this is a fantastic opportunity for others to up their game and make a name for themselves. Mexico! Brazil! Where are you? Or are you too busy with the drug trade? Ohio just got billions from Intel to start up a fab plant!

Sorry but all this is on the edge of political and I don't mean it to be. It's a business point of view, not political.


----------



## sko (Feb 11, 2022)

The same "logic" applies to several other countries and their (e.g. 3-letter) agencies.
Also following your logic: The OS that is BY FAR the single biggest factor in the existence and spread of malware comes from a US-based company...
And: A lot of botnets and spam waves also origin from clouds operated by US-based companies as well as e.g. Europe-based ones like OVH. Heck, I've even seen ongoing credential stuffing attacks from UK or Sweden based prefixes. Our mailservers once had a small wave of attempted logins from a few IPs in switzerland. I could go on like this for quite a while - the point is: Those are bots - they don't care about trivias like geography. They just find badly configured/maintained machines and infect them. The end.
Just look at population numbers and it's clear why a lot of botnets seem to concentrate on a few countries where "accidentally" a major percentage of the world population lives.

I don't mean to defend anyone here - I just can't stand it when the stupidity and/or malice of a few individuals are generalized and reduced to a stereotypical prejudice about nationality/ethnicity/colour/belief etc... I don't know, maybe that's because I'm just old enough to have witnessed the last few years of the old internet-culture (mainly in IRC and usenet) that went by the standards of "I don't care where you live, how you look or what you believe - I just care about what you do, how you use your skills and how you treat other beings", but I still go by that standard.


And sorry to everyone else for dragging this thread so far off topic


----------



## hardworkingnewbie (Feb 11, 2022)

drhowarddrfine said:


> sko It just seems that too many bad things like this come out of China. Yes, elsewhere, too, but too much from a supposedly developed country that wants to play with the rest of the world. And here we are buying goods from them and letting them manufacture our stuff and let them insert malware into routers and everything else.
> 
> The way you teach such places a lesson is you don't play with them anymore.


Based on your profile you are hailing from the USA.

According to the nifty stats provided by Spamhaus you are in for a nasty surprise:






Congratulations, America is the worst spam enabling country on the globe by a long shot!

In terms of botnet countries 3rd place - there's definitely room for growth:




But - hooray - the worst botnet ISP on the globe already is American, it's Amazon!




Aside that: are you aware about TAO by NSA? It might be that Chinese hardware is not to be trusted, but the same does apply to American as well. Buying American network equipment instead of Chinese is basically just replacing Chinese spyware stuff with NSA spyware stuff. In fact it's hard to proof the trustworthiness of any of todays' hardware at all due to its complexity and complicated supply chains.

And the reason why China is producing so much stuff for us is that our companies wanted to make more profit, so they moved many jobs there. This is nothing we can blame China for, but only ourselves. And in the end this is just how capitalism works.

And as a matter of fact Canada is trying to attract new tech companies, which think Silicon Valley is too expensive, right now - successfully. Cities like Vancouver, Edmonton, Toronto, Montreal and Ottawa have got their fair share of such companies.


----------



## sko (Feb 11, 2022)

hardworkingnewbie
the second and third statistic you've mentioned would look differently if microsoft hadn't enforced not to be listed with some of their ASNs in such statistics after this: https://www.theregister.com/2021/10/18/microsoft_malware_brand/

Just 2 days after articles like that one on el reg surfaced, microsofts US-based ASNs mysteriously vanished from all urlhaus stats and haven't been listed since: https://urlhaus.abuse.ch/statistics/#avg_takedown


----------



## drhowarddrfine (Feb 11, 2022)

hardworkingnewbie said:


> America is the worst spam enabling country on the globe



Except I'm not talking about spam


----------



## SirDice (Feb 11, 2022)

drhowarddrfine said:


> Except I'm not talking about spam


Spam is typically sent though malware infected hosts. It's what these botnets generally do, besides being a platform for DDoS attacks.


----------



## drhowarddrfine (Feb 11, 2022)

Yes but I'm talking about malicious bots that take down or control or steal information from servers as the article above is about


----------



## SirDice (Feb 11, 2022)

drhowarddrfine said:


> Yes but I'm talking about malicious bots that take down or control or steal information from servers as the article above is about


This specific malware could also be used to proxy spam. It's also modular, meaning they can add/remove functionality.


----------



## sko (Feb 11, 2022)

SirDice said:


> This specific malware could also be used to proxy spam. It's also modular, meaning they can add/remove functionality.


Sounds a lot like some of the state-funded malware like the "staatstrojaner" they still desperately want here in germany...

So we are pretty much still at "yes, we are also bad, but they are bad in a slightly different way" - regardless of who is pointing at whom.


----------



## grahamperrin@ (Feb 12, 2022)

sko said:


> … I just can't stand it when the stupidity and/or malice of a few individuals are generalized and reduced to a stereotypical prejudice about nationality/ethnicity/colour/belief etc…



Thank you.



sko said:


> … maybe that's because I'm just old enough to have witnessed the last few years of the old internet-culture (mainly in IRC and usenet) that went by the standards of "I don't care where you live, how you look or what you believe - I just care about what you do, how you use your skills and how you treat other beings", but I still go by that standard. …



sko probably also because you're not stupid.


----------



## drhowarddrfine (Feb 12, 2022)

sko said:


> Also following your logic: The OS that is BY FAR the single biggest factor in the existence and spread of malware comes from a US-based company...


I just noticed this. You are confusing where the base product is made with where malware comes from. You can't blame the US for drunk driving accidents in France just cause they drive a Ford. In the same way, you are blaming the US for malware because some other country uses Windows to serve malware.


----------



## eternal_noob (Feb 12, 2022)

Snowden taught us that the NSA is the worst hacker around the globe. It's just hypocritical to blame China.


----------



## drhowarddrfine (Feb 12, 2022)

eternal_noob Again, we're not talking about the same thing. You are talking government initiated spying. Malware used for nefarious take downs by individuals as hackers is not the same thing.

EDIT: A quick Google search seems to show that China does far more such things, and causes far more disruption, than any other country but I'll have no more to say about this.


----------



## Vull (Feb 12, 2022)

I don't conflate the NSA with the USA. As a US citizen, I'm opposed to what they do. But, who is the USA? Is it them? Or is it us?

Likewise, I don't conflate the Chinese government with the Chinese people. Who is China? Is it the government, or is it the people?

We may all be ultimately _responsible_ for what others do in "our" name, but none of us can fully_ contro_l it.


----------



## eternal_noob (Feb 12, 2022)

drhowarddrfine said:


> we're not talking about the same thing. You are talking government initiated spying. Malware used for nefarious take downs by individuals as hackers is not the same thing.


Of course it is. It's both unwanted penetration. For me it doesn't make a difference who invades my space. An invader is an invader.


----------



## ralphbsz (Feb 12, 2022)

eternal_noob said:


> Snowden taught us that the NSA is the worst hacker around the globe. It's just hypocritical to blame China.


Incorrect. Snowden taught us that the NSA at the time did a lot of unethical and illegal things. That was about 7 or 8 years ago. Much has changed since, perhaps for the better, or perhaps for the worse. We can be pretty sure that the NSA doesn't do the same things any more. What we don't know is whether the actions of the NSA are now better or worse.

But even when Snowden showed us a lot of stuff, we didn't know what other country's agencies do, and how it compares. We know that several other countries have very active cyber-espionage and sabotage programs (Russia, China, Israel, North Korea), and that in some countries (mostly the same list) that uses a cooperation between government agencies, private companies, and/or criminal elements.

Simply saying "the NSA is the worst" is completely wrong. The NSA is the one that had some of its internals exposed, no more and no less.



eternal_noob said:


> Of course it is. It's both unwanted penetration. For me it doesn't make a difference who invades my space. An invader is an invader.


But it makes a huge difference about how to react and how to protect yourself whether the invader is a government spying agency (which just gathers information), a legitimate business, a set of criminals trying to steal your stuff, or a government agency (typically a military) trying to disrupt your operations, perhaps using technology from or working with a company, or a set of criminals that operate with implicit government blessing.


----------



## SKull (Feb 12, 2022)

sko said:


> and again, everybody: don't  use  password  based  logins  for  ssh


You're saying I should disable root login as well? 

Also, I think these attacks are coming mainly from China because China still uses Windows XP in large numbers.
And if you don't have every security patch installed that ever came out for WinXP, all you need to do is connect your XP host to the internet.
15 minutes later you will have a bot running on your system.

[edit]We've actually hooked up a WinXP host WITHOUT any service packs to the internet. We've had over a thousand 'malware' files on that system after 15 minutes. That was in 2008.[/edit]


----------



## eternal_noob (Feb 12, 2022)

SKull said:


> You're saying I should disable root login as well?


This made me laugh, thanks.



ralphbsz said:


> a set of criminals


In either case.


----------



## SKull (Feb 12, 2022)

eternal_noob said:


> This made me laugh, thanks.


Every company that I've ever worked for, that had some linux boxes, had root login as well as password login enabled.
It's funny from our perspective. It's horrifying if you work there.

Also: I highly recommend running an ssh honeypot on port22. 
It is educating as well as entertaining to watch.


----------



## Crivens (Feb 13, 2022)

ralphbsz said:


> whether the invader is a government spying agency (which just gathers information), a legitimate business, a set of criminals trying to steal your stuff, or a government agency (typically a military)


The NSA was caught in industrial espionage a long time ago. And the implied OR in your list, reality suggests to have this seen as an AND. Only the order of them might change. And yes, they ALL do this.


----------



## Deleted member 30996 (Feb 13, 2022)

> *F.B.I. Secretly Bought Israeli Spyware and Explored Hacking U.S. Phones*
> jan. 28, 2022
> 
> Israel used the NSO Group’s software as a tool of diplomacy. The F.B.I. wanted it for domestic surveillance.
> ...



SSH...pffft. Never used it.


----------



## ralphbsz (Feb 13, 2022)

Concur: the NSA was helping US companies in industrial espionage.

And yes, as I said: In many cases, government and commerce work together, and in some countries government and criminals work together, and in some cases, multiple governments work together (famous example: five eyes). But also, in some cases governments spy on companies in their country too. I know two examples: government agency spies on company A, gives the results deliberately to company B (that's sort of getting help from the NSA in doing industrial espionage), but then the data leaks from company B to A, causing embarrassment to all involved. Another fun example (which I don't think is terribly well known publicly) is company X (which is located in a country that we'll call Elbonia) discovering that someone is trying to hack their internal corporate networks, figuring out that the hacker is the official Elbonian spy agency. The bizarre thing is: Company X is the biggest supplier of computer and networking gear to that spy agency!

Sometimes I think that the intelligence agencies are staffed only with complete fools (right out of Inspector Clouseau or Dilbert). Sometimes I think that they are staffed with geniuses, who can pull off amazing stunts. The people I've actually met who work there are all pretty hard-working, smart, honest, and neither idiots nor geniuses.

And you are completely correct: they all do it. The only countries that don't do much intelligence gathering are the ones that don't have the resources for it.


----------



## kpedersen (Feb 13, 2022)

Crivens said:


> Only the order of them might change. And yes, they ALL do this.


The UK government doesn't do anything of that sort. They *know *that the entire industry (consisting exclusively of Apple and Microsoft) are so darn impenetrable and secure that hacking is deemed a legacy activity and only for "poor" countries.

Instead they prefer to spend their time (and the money from us plebs) leveraging smart phones and cloud storage as their entire digital security backbone.


----------



## eternal_noob (Feb 13, 2022)

ralphbsz said:


> Much has changed since, perhaps for the better, or perhaps for the worse.


Oh, btw. It's getting worse.


----------



## Mayhem30 (Mar 7, 2022)

sko said:


> and again, everybody: don't  use  password  based  logins  for  ssh



What about using a different listen port than 22? Lots of free ports are available.



			https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt


----------



## Phishfry (Mar 7, 2022)

Mayhem30 said:


> What about using a different listen port than 22?


Strong key is the only way (ed25519). Hiding behind port numbers is not security.
Having said that I do switch my listening port.


----------



## ralphbsz (Mar 7, 2022)

Using a different port helps. It reduces the number of attacks (by several orders of magnitude), and makes it statistically unlikely that your ssh port will be cracked. It is not actually secure. But it has a really good cost/benefit ratio, so do it. Don't let the desire for the perfect stand in the way of accomplishing the good.


----------



## sko (Mar 7, 2022)

Mayhem30 said:


> What about using a different listen port than 22? Lots of free ports are available.
> 
> 
> 
> https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt



obfuscation is NOT equal to properly securing a service, which in case of sshd means NO PASSWORD BASED LOGINS!

But yes, using another port for ssh greatly reduces the noise floor. On 'high noise' IPs (e.g. cloud hosting) I usually also change the ssh port. On some machines I just run a honeypot on port 22 that simply collects IPs for blacklisting...


----------



## Mayhem30 (Mar 7, 2022)

I really appreciate all the input!

On my production server, I've disabled password logins, use a 2048bit key and a non-standard SSH port.

Is that "good enough" or should I be doing something else as well?


----------



## ralphbsz (Mar 7, 2022)

"Good enough" depends on the value of your data, the risk to you of getting hacked, and the expected threat profile.

Scenario 1: Your system stores the target coordinates for conventional and nuclear bombing. If the data is released, we expect massive political upheaval, probably leading to thousands of people losing their lives. If your system is shut down, your country loses the ability to defend itself. Your adversaries are the best intelligence services on the planet.

Scenario 2: Your system contains only pictures of your kids that you took with your camera. All pictures are public, you serve them on a web server, so grandma can check out what her grandkids are doing. There is nothing secret on the server; if it gets shut down, the only damage is that grandma has to wait until it is brought back online, of you have to make printouts of the photos and send them to grandma in a letter. The only risk from hackers is that they might use your machine's resources for nefarious purposes (mine bitcoin, send spam e-mails, and so on). Since the value of an IP address and weak (virtual) CPU is very low, hackers are not interested in your machine.

For 1, your suggestion is absolutely not good enough: you need security guards with assault rifles, encrypted everything, thick concrete walls and ceilings, and similar stuff. For 2, it is total overkill; one of the three would have been sufficient.


----------



## Mayhem30 (Mar 8, 2022)

ralphbsz said:


> Since the value of an IP address and weak (virtual) CPU is very low, hackers are not interested in your machine.



My machine is a little bit better than that, that's why I'd like to protect it.

I have my own dedicated server and it's powered by a Xeon E-2288G CPU, 32GB ram, 2x 500GB SSD (Raid 0). I also have 16 usable IPv4 addresses and /64 block for IPv6. I'm a PHP developer, and have 10+ years worth of work that is powering 3 websites - which includes a CMS I created from scratch (WordPress is bloatware).

Of course all my work is rsync'd to my home machine every 12 hours, but I would hate for my code to get leaked.


----------



## richardtoohey2 (Mar 8, 2022)

Have you set AllowUsers in sshd_config?

Not sure if you're asking just about ssh or overall security?  Assume you've got firewall(s) in place.  Checking logs of firewall, /var/log/messages/, /var/log/authlog to check nothing unexpected.  Turn off unnecessary services, keep everything patched. RAID-0 is fast but don't you want something mirrored (but now definitely drifting off the topic of SSH!)


----------



## Mayhem30 (Mar 8, 2022)

richardtoohey2 said:


> Have you set AllowUsers in sshd_config?



No, I do not! I wasn't aware that was an option (it's not listed the config file). However, I only have one user account and root login is already disabled. Is it still needed? In the /etc/passwd file, it looks like everything has /usr/sbin/nologin except root, toor, uucp, and acme.



richardtoohey2 said:


> Not sure if you're asking just about ssh or overall security? Assume you've got firewall(s) in place.



Yes, I'm using PF. I don't limit access to SSH for my IP address as it changes every 6 months or so (and I've already locked myself out once already). I have fiber gigabit internet at home, so I do have the option to pay an additional $5/month for a static IP but wasn't sure it was worth the cost.



richardtoohey2 said:


> RAID-0 is fast but don't you want something mirrored



Why is that? In the early days, I had a single HDD and it failed on me .. it wasn't fun getting everything back up and running.


----------



## richardtoohey2 (Mar 8, 2022)

My understanding is that RAID 0 is striped for performance so if one drive dies bye-bye data. A mirrored RAID level should be able to cope with one drive failure but at the cost of space and performance.

Not sure if the AllowUsers helps in your setup - it’s just one more barrier for someone to get through (they’ll need a valid username).


----------



## Mayhem30 (Mar 8, 2022)

I'm using Gmirror, and I don't notice any performance issues. The SSD's handling the load with no issues.


----------



## richardtoohey2 (Mar 8, 2022)

Mayhem30 said:


> I'm using Gmirror


Looks like that counts as RAID 1: https://www.freebsd.org/cgi/man.cgi?gmirror(8) says

_The *gmirror* utility is used for mirror (RAID1) configurations._

But we are drifting far away from SSH configurations so I'll leave it here


----------

