This paper examines the recent Brute force attacks on Linux/Unix systems, mainly aimed at services like Telnet, Secure Sell (SSH), and FTP. The reasons as to why some of the attacks have been successful and the necessary steps taken to curb such attacks in future are also explored.

"The U.S. government considers a system to be only as secure as its most far-reaching connection. For instance, a top-secret system may be accessed only from within a building also considered top-secret. The system loses its top-secret rating if any form of communication can occur from outside that environment." Therefore, if someone boasts of a system immune to security threats, then that person must have unplugged his or her computer from any computer communication network. The Unix system is considered the most secure and stable system compared to other systems like Windows. However, its not completely impervious to attacks such as the brute force attacks, discussed below.

Brute force attack, which has been on the rise against Unix/Linux services like SSH, Telnet, and FTP, is method of attack that uses every character combination in an attempt to determine the password of an account. First, a user's account is determined in a process called account harvesting, then brute force is used to guess the user’s password. Red Hat Linux 9.x for example does not provide account security policies, but it does enable the configuration of password security and other security associated with the individual accounts that is stored in the shadow file. As a result, some attackers are determined to obtain those files that contain encrypted passwords, such as the /etc/passwd and /etc/shadow files. Although some attackers use their own programs to guess the passwords, others use tools available such as John the Riper, Crack, brut_ssl, and Ophcrack, a password cracker based on rainbow tables that runs on Windows, Linux and Mac OS X (intel).  Ophcrack can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes (6).

Brute force attacks mainly take that advantages of weak passwords to be successful and are mainly used against either online systems or against password hashes that have been attained. This is possible because since all versions of Unix come with default configurations; some versions are potentially at risk from improper and default configurations (Max, 2006). Such Unix versions may be affected by accounts having weak or dictionary-based passwords for authentication. Historically, Unix password mechanisms were often limited to eight characters, and the number of possible salt values was so low that an attacker could easily combine a dictionary of commonly used passwords with every possible salt value and have a good chance of matching one or more passwords in the password file, gaining unauthorized access to any accounts compromised as a result.

Further, Secure Shell daemon (SSHD2), which was introduced as a popular secure shell daemon for Unix to replace telnet, has become a burst. All versions of SSHD2 up to 2.0.11 are vulnerable to a Brute force attacks through remote access to acquire user information. While, Version 2.0.12 and up are also vulnerable to this attack, but in these versions the IP of the connection is logged and therefore the attacks can be identified. This enables the system administrator to quickly identify this break-in attempt and to know where it originated (8). Hence, Brute force attacks cause additional network traffic, increase in system resources, and hundreds of un-necessary log file entries. This is basically a Denial of Service (DoS) attack on a small scale.

Since Brute force attacks mainly take advantage of frail passwords to be effectual, one of the best ways of preventing an attacker from being triumphant in such an attack is having a good password policy in place and enforced. Hence, new security mechanism has been developed and introduced by Unix vendors to address these issues. For example, the pluggable authentication modules (PAM) system is based on a shred library that can be used by any system component that needs to authenticate users. PAM can be loaded on demand into a system-wide configuration file and all systems will immediately take advantage of it. PAM modules can specify authentication methods, such that when a users change their passwords, all necessary authentication can be updated at once.

Furthermore, ensure that all user accounts have a hard-to-guess, strong passwords Use Crypto-card system or RSA encryption, which are one-time password programs or password generators (10).  Even when some attacker intercepts a user’s a password, it will be useless because it’s not re-usable. Organizations can also enforce their security policies by using the online administration center to create password-related rules. For example, User will be required to change their passwords regularly. Thus, you can set passwords and access codes to expire at specified intervals and prevent the re-use of previously used passwords.

Better yet, you can also run password cracker software like Xavior, brute_web, or Authforce against your own system to evaluate your system’s accounts and passwords security reliability i.e. evaluating whether it’s easy to crack. Where possible, set honeypot, system that you design specifically to look vulnerable so that attackers think it's easy prey. This way you can learn about their intentions and tendencies.

Since, traditional authentication is a problem, configure your system to use the SSH based logons with keys and teach users the importance and advantages of using SSH keys instead of passwords. Once the users are well acquainted with the procedure, then switch to SSH key based logons permanently, and halt password logons completely (10).

Frequently inventory the encryption keys and authentication methods used by the operating systems and close any holes that you find. For instance, you can restrict logins to IP addresses of only known client machines, and prohibit the IP addresses of systems that try to brute-force your system.  Tools such as denyhosts, brute force detection (BFD), sshdfilter, and fail2ban provide protection against the attack in question on ssh or sshd2 and can be used to automatically ban intruder scanners. That is, the recognized intruders are black listed (7). For example, fail2ban uses Netfilter and creates an iptables chain specifically to block the Brute force attacks, this allows the swift identification of current blocked hosts using iptables –L.

Have a network and server administrators avoid directly using administrative accounts, and instead use personal accounts that have administrative privileges. Also, when working at another person’s computer, the administrators should use command-line options to access administrative accounts, such as the su command in Unix/Linux.

Brute force attacks can be defended against through constant surveillance, up-to-date threat detection technology, quick reaction time to any security alerts, and the setting and maintaining of rigorous security policies. Likewise, Install the latest vendor patches regularly to mitigate vulnerabilities in exposed services. Patch management is a critical part of the risk management process.


References:
1. Arregoces, M. & Portolani, M. (2004). Data Center Fundamentals. Cisco Press.

2. Rosen, K., Host, D., Farber, J., and Rosinski, (2007). R.UNIX: The complete Reference. 2nd Edition. McGraw-Hill,

3. Ross, S. T. Unix System Security Tools
Retrieved on February 15, 2007 from http://www.albion.com/security/intro-4.html

4. Brute Force Dictionary Attacks
Retrieved on February 14, 2007 from http://ist.uwaterloo.ca/security/vulnerable/20040811.note

5. MyDoom Details, ssh password brute forcing.
Retrieved on February 16, 2007 from http://isc.sans.org/diary.html?storyid=263

6. Ophcrack is a password cracker (2006)
Retrieved on February 13, 2007 from http://ophcrack.sourceforge.net/

7. Protection from Brute force attacks
Retrieved on February 12, 2007 from http://www.lboro.ac.uk/computing/security/ssh.html

8. Brute force attack against SSHD2
Retrieved on February 14, 2007 from http://www.securiteam.com/unixfocus/2KUQ7QAQTM.html

9. John the Riper and Crack, Weak passwords vulnerable to a dictionary attack
Retrieved on February 13, 2007 from  http://en.wikipedia.org/wiki/John_the_Ripper or http://wiki.linuxquestions.org/wiki/Brute_force

10. Stearns, William (2006)
Retrieved on February 13, 2007 from Security Tip of the day: Handling brute-force login attempts

11. Max (2006) UNIX Configuration Weaknesses
Retrieved on February 15, 2007 from http://www.bestsecuritytips.com/xfsection+article.articleid+21.htm