Defending Your Network: Detecting SSH Brute-Force Attacks with Wazuh

Introduction:

In today's digital landscape, cybersecurity threats are ever-evolving, with SSH brute-force attacks posing a significant risk to organizations' data and network security. Detecting and mitigating these attacks is crucial to safeguarding sensitive information and maintaining the integrity of your systems. In this guide, I'll walk through the process of detecting SSH brute-force attacks using Wazuh, a powerful open-source security monitoring platform.

Overview:

Throughout this post, you'll gain valuable knowledge on:

• Understanding the fundamentals of SSH brute-force attacks and their impact on cybersecurity.
• Setting up a home lab environment using Wazuh for monitoring and detecting SSH brute-force attacks.
• Step-by-step instructions for configuring Wazuh agents, deploying Wazuh managers, and leveraging Wazuh's features effectively.
• Real-world examples and case studies illustrating the importance of identifying and thwarting SSH brute-force attacks.
• Practical techniques for simulating and testing SSH brute-force attacks using popular tools like Hydra, coupled with insights on interpreting the results within the Wazuh interface.

Understanding Brute-Force Attacks:

Brute-force attacks are a pervasive threat in cybersecurity, leveraging relentless, systematic attempts to discover valid credentials. Particularly in the context of SSH, adversaries exploit vulnerabilities in authentication protocols, utilizing automated tools to exhaustively cycle through credential combinations. The ramifications of a successful SSH brute-force attack are severe, as unauthorized access to critical systems can lead to compromised data integrity and confidentiality, posing significant risks to organizational security.

Hydra, Medusa, and Ncrack are powerful tools commonly used for conducting brute-force attacks.

• Hydra:

Hydra is a versatile password-cracking tool capable of launching brute-force attacks against a variety of protocols, including SSH. It supports parallelized brute-forcing and offers extensive customization options.

GitHub Repository: https://github.com/vanhauser-thc/thc-hydra

• Medusa: Medusa is another popular tool used for brute-force attacks. It specializes in parallelized brute-forcing and can target multiple accounts simultaneously. Medusa is known for its efficiency and reliability in cracking passwords for SSH and other services.

GitHub Repository: https://github.com/jmk-foofus/medusa

• Ncrack: A network authentication cracking tool designed for high-speed brute-force attacks. It supports various protocols, including SSH, and offers brute-force, dictionary, and timing attacks.

GitHub Repository: https://github.com/nmap/ncrack

GitHub DDoS Attack (2020): In 2020, GitHub was targeted by a DDoS attack that leveraged SSH and Git traffic. Attackers abused GitHub Actions workflows to mine cryptocurrency on GitHub servers, causing disruption to the platform's services.

Home-Lab Requirements:

Before delving into the technical details, ensure the following prerequisites are met:

Virtualization Software:

To run virtual machines on your computer, you'll need virtualization software. Download from the following options based on your preference and compatibility with your operating system:

• Oracle VirtualBox: https://www.virtualbox.org/wiki/Downloads
• VMware: https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html

Wazuh Server OVA:

Serving as the central management platform for Wazuh deployments, facilitating centralized monitoring and analysis.

For a quicker setup, you can use the Wazuh Server OVA file. This file is prebuilt and can be easily imported into virtualization software such as VirtualBox or VMware. Obtain the Wazuh Server OVA file from the official Wazuh documentation website.

• Visit https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html for deployment options and download instructions.

3. Ubuntu Server: Configured as a Wazuh agent for real-time monitoring and analysis of system events.

• Visit https://ubuntu.com/download/server to access the download page for ISO files.
• For VDI files, you can download one from Osboxes at https://www.osboxes.org/ubuntu-server/.

Kali Linux: Utilized as the offensive platform for simulating brute-force attempts against SSH.

• Obtain the ISO image from the official Kali Linux website at https://www.kali.org/downloads/.
• VDI files for Kali Linux can also be found on the Kali Linux website under the Virtual Machines section at https://www.kali.org/get-kali/#kali-virtual-machines, where you can choose the appropriate VM for your setup.

Mirai Botnet (2016): Mirai infected Internet of Things (IoT) devices, including routers and cameras, by exploiting weak SSH credentials. It then used these devices to launch massive distributed denial-of-service (DDoS) attacks.

Setting up Wazuh Manager:

Virtualization Software: Oracle VirtualBox

• Deployment:Deploy the Wazuh Server OVA file within your Oracle VirtualBox environment to instantiate the Wazuh Manager.

• Obtaining IP Address: Obtain the IP address of the Wazuh Manager using the command below for subsequent access.

ifconfig        

• Accessing GUI:Log in to the Wazuh Graphical User Interface (GUI) via a web browser using the designated URL.

• Authentication: Authenticate into the Wazuh GUI using the default credentials:

Username: admin

Password: admin

Adding Ubuntu Agent:

Configure the Ubuntu Server as a Wazuh agent to enable seamless integration with the Wazuh Manager.

To deploy a new Wazuh agent, you need to choose the appropriate package based on your system architecture and package manager. Here's a brief explanation of each option:

• RPM amd64: For RPM-based systems (e.g., CentOS, RHEL, Fedora) on AMD64 architecture.
• RPM aarch64: For RPM-based systems on ARM64 architecture.
• DEB amd64: For Debian-based systems (e.g., Debian, Ubuntu) on AMD64 architecture.
• DEB aarch64: For Debian-based systems on ARM64 architecture.

Since I am using an Ubuntu server from Osboxes, I selected 'DEB amd64'

To assign a server address for the Wazuh agent to communicate with, you need to provide the IP address or fully qualified domain name (FQDN) of your Wazuh manager server. This server address should be accessible from the network where the agent is installed.

When assigning an agent name in Wazuh, it's important to choose a unique name that identifies the agent. By default, Wazuh uses the hostname of the system as the agent name. However, you have the option to specify a different agent name if needed.

I named the agent "BF_Watcher" and selected the "Default Group" under "Select one or more existing groups".

To configure Ubuntu Server and install the Wazuh agent on the Ubuntu server, I will create a Ubuntu Server in Oracle VirtualBox and run the following commands:

Install the Wazuh Agent:

Run the following commands to download and install the Wazuh agent:

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.2-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.110' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='BF_Watcher' dpkg -i ./wazuh-agent_4.7.2-1_amd64.deb        

Ensure to replace '192.168.1.110' with the IP address of your Wazuh manager.

Once the agent is installed, start it by running the following commands:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent        

Adding Ubuntu Agent:

Create Ubuntu Server VM in VirtualBox:

Run the following commands to download and install the Wazuh agent:

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.2-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.110' WAZUH_AGENT_GROUP='default' WAZUH_AGENT_NAME='BF_Watcher' dpkg -i ./wazuh-agent_4.7.2-1_amd64.deb        

Once the agent is installed, start it by running the following commands:

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent        

To determine the status of the Wazuh agent, execute the following command:

sudo systemctl status wazuh-agent        

Activate the agent and verified successful registration and connectivity with the Wazuh Manager interface.

To simulate brute-force SSH attacks, you'll need SSH installed on your Ubuntu server. Follow these simple steps to install SSH

• Open a terminal on your Ubuntu server.
• Run the following commands to install and enable SSH start automatically:

sudo apt update
sudo apt install openssh-server
sudo systemctl enable ssh        

To check whether SSH is installed and running successfully on your Ubuntu server, you can use the following command

sudo systemctl status ssh        

In case of any issues with the Wazuh VM on VirtualBox, streamline troubleshooting by removing the existing VM and creating a new one. Follow these steps:

1. Remove the current Wazuh VM.
2. Create a new Wazuh VM with proper resource allocation and network configuration.
3. Obtain a new IP address for the Wazuh VM and update it on the Ubuntu server.
4. Update the Wazuh agent configuration on the Ubuntu server to reflect the new IP address.

sudo nano /var/ossec/etc/ossec.conf        

To save changes after modifying the IP address in the ossec.conf file using the nano text editor, you can follow these steps:

• Press Ctrl + X on your keyboard. This will prompt you to save the changes.
• Press Y on your keyboard to confirm that you want to save the changes.
• Press Enter to confirm the file name to write the changes to.
• Finally, press Enter again to exit the editor. Restart the Wazuh agent service to ensure proper communication with the new Wazuh manager.

sudo systemctl restart wazuh-agent        

This approach saves time and effort by avoiding a complete setup redo.

Exim SSH Backdoor (2019): The Exim email server software was targeted by attackers who exploited a vulnerability to install a backdoor via SSH, allowing them to gain persistent access to compromised systems.

Configuring the Offensive Machine (Kali Linux):

Setting Up Kali Linux in Oracle VirtualBox:

Testing Connectivity: Ping to Ensure Connection from Kali Attack Machine to Ubuntu Server

ping -c 5 192.168.1.104        

Performing Brute-Force Attacks with Hydra:

Now that we have set up our offensive platform (Kali Linux), let's proceed with performing brute-force attacks using Hydra. Hydra is a powerful and versatile tool capable of launching brute-force attacks against various protocols, including SSH.

To perform a brute-force attack against SSH using Hydra, follow these steps:

We'll simulate a failed brute-force attack and monitor if Wazuh registers the attempt. Follow these command (Replace 192.168.1.104 with the IP address of your Ubuntu server.):

hydra -l admin -p test ssh://192.168.1.104        

Observing the Wazuh interface, we can confirm that the attack has been logged within the "Security Events" section.

Let's examine a specific security event in detail:

Event Details:

• Timestamp: February 10th, 2024, 06:35:33.795 (UTC)
• Event ID: znm6kY0BmCEVEHDbkCsq
• Agent ID: 001
• Agent IP: 192.168.1.104
• Agent Name: BF_Watcher
• Source IP: 192.168.1.102
• Source User: admin
• Decoder: sshd
• Location: /var/log/auth.log

Event Summary:

An authentication attempt using the username "admin" was made from the source IP address 192.168.1.102, targeting the SSH service running on the agent with ID 001 (named BF_Watcher). The attempt was unsuccessful and triggered multiple times (4 occurrences).

Rule Details:

• Rule ID: 5710
• Rule Description: Attempt to login using a non-existent user
• Rule Level: 5
• Rule Groups: syslog, sshd, authentication_failed, invalid_login
• Rule MITRE Tactics: Credential Access, Lateral Movement
• Rule MITRE Techniques: Password Guessing, SSH
• Rule Compliance:GDPR: IV_35.7.d, IV_32.2GPG13: 7.1HIPAA: 164.312.bNIST 800-53: AU.14, AC.7, AU.6PCI DSS: 10.2.4, 10.2.5, 10.6.1TSC: CC6.1, CC6.8, CC7.2, CC7.3

Additional Insights:

This event indicates an attempted login using the non-existent user "admin" from the source IP address 192.168.1.102, which triggered multiple times (4 times in this case). It's flagged as a significant event with a rule level of 5, indicating potential security concerns related to credential access and lateral movement, according to the MITRE framework. Additionally, it aligns with various compliance standards such as GDPR, GPG13, HIPAA, NIST 800-53, PCI DSS, and TSC.

British Airways Data Breach (2018): In 2018, British Airways suffered a data breach that affected over 380,000 customers. Attackers exploited vulnerabilities in the airline's website and mobile app, allowing them to capture sensitive information during the payment process. While the exact method of attack was not disclosed, SSH-based attacks, including credential stuffing or SSH key compromise, could have played a role in gaining unauthorized access to the airline's systems.

Now that we've confirmed that Wazuh is effectively detecting security incidents, let's delve deeper into Hydra. To do so, we'll utilize commonly used username and password lists to simulate real-world scenarios and assess system vulnerabilities more comprehensively.

I will utilize the wget command to download commonly used username and password lists onto the Kali Linux.

Usernames:

wget https://github.com/pentestmonkey/yaptest/raw/master/ssh-usernames.txt        

Passwords:

wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt        

After running the command, you can verify that the file has been downloaded by listing the files in the current directory using the 'ls' command:

ls        

To use Hydra to perform an SSH brute-force attack with a list of usernames and passwords I used the following command:

hydra -L ssh-usernames.txt -P top-20-common-SSH-passwords.txt ssh://192.168.1.104        

An evident surge in security events within Wazuh suggests a notable increase in authentication failures, reflecting heightened activity in unauthorized access attempts. Notably, among the top MITRE ATT&CK techniques observed are instances of "password guessing", particularly targeting the "SSH" protocol through "brute-force attacks".

Conclusion:

In summary, safeguarding against SSH brute-force attacks is crucial for maintaining compliance with cybersecurity standards like GDPR, HIPAA, NIST, PCI DSS, and TSC, while protecting organizational systems and sensitive data. By employing comprehensive detection methods and robust mitigation strategies, businesses can thwart unauthorized access attempts and mitigate risks effectively.

Throughout this guide, we've explored detecting SSH brute-force attacks using Wazuh and practical testing techniques. Real-world examples underscored the importance of identifying and countering such attacks to prevent data breaches and system compromises.

To mitigate the risks associated with SSH brute-force attacks, organizations can implement a plethora of measures:

1. Strong Password Policies: Enforcing stringent password requirements and promoting regular password updates to deter easy guessing by malicious actors.
2. Multi-factor Authentication (MFA): Implementing MFA as an additional security layer, requiring users to provide extra authentication factors beyond passwords.
3. SSH Key Authentication: Advocating for SSH key usage for authentication, offering a more secure alternative to conventional passwords.
4. Rate Limiting: Configuring rate-limiting mechanisms to curtail the number of authentication attempts within a specified timeframe, reducing the effectiveness of brute-force attacks.
5. IP Whitelisting/Blacklisting: Restricting SSH access based on IP addresses to minimize the attack surface and block known malicious sources.
6. SSH Configuration Hardening: Strengthening SSH server configurations by disabling redundant features and employing robust cryptographic algorithms.
7. Monitoring and Logging: Continuously monitoring SSH authentication logs for anomalous activity and setting up alerts to notify administrators of potential attacks in real-time.
8. Network Segmentation: Implementing network segmentation to isolate SSH servers and mitigate exposure to potential attackers.
9. Regular Security Audits: Conducting periodic security audits and vulnerability assessments to identify and rectify weaknesses in SSH infrastructure.

By embracing these mitigation strategies and maintaining vigilance in monitoring and securing SSH access, organizations can effectively mitigate the risks posed by SSH brute-force attacks and uphold a robust security posture compliant with GDPR, HIPAA, NIST, PCI DSS, and TSC standards amidst today's dynamic threat landscape.

Thank you for taking the time to read this article. Your feedback and suggestions are greatly appreciated!

#Cybersecurity #Wazuh #ThreatHunting #InfoSec #SecurityAudit