Brute force attack on firewall stopped

The Network: A nonprofit organization in healthcare research. The EventTracker SIEMphonic Enterprise service supplements their IT team.

The Expectation: Robust and up-to-date (next-gen firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Perimeter firewalls are critical in any given environment and should have 100% uptime (availability).

The Catch: SIEMphonic analysts observed over 1,500 attempts from various IP addresses attempting to connect to the outside interface on the firewall, via ssh v1, in a short span of time. The firewall was accepting ssh v1 connections on the outside interface, which potentially allows hackers to perform a brute-force attack to gain access to the firewall. In addition, ssh v1 does not support strong encryption and also has integer overflow vulnerability that allows hackers to run code with root access. ssh v2 protects against eavesdropping by encrypting all traffic through 3DES/AES and uses MAC algorithms for integrity checking.

The Find: EventTracker’s firewall logon reports were been configured during installation and were instrumental in uncovering this attack.

The Fix: ssh v1 had been enabled on the outside interface of the firewall was open at customer environment for a period of time. This is a weak configuration that invites attack. Attackers on scanning this firewall had determined this misconfiguration and were working to exploit it. The ECC analyst immediately notified the customer who quickly disabled ssh v1 and access to the outside interface the firewall.

The Lesson: Firewall connections should be allowed only from the inside network. Connections should be accepted only via ssh v2, and not ssh v1 since it is not secure.