F5 products and versions that are affected by this Security Advisory

F5 Product Development has determined that all products and versions are affected by the issue described in this security advisory.

Note: For information about signing up to receive security notice updates from F5, refer to SOL9970: Subscribing to email notifications regarding F5 products.

Description

F5 has observed a recent increase in calls regarding distributed SSH brute force login attacks. These attacks use automated botnets to repeatedly attempt to log into target hosts using a dictionary of potential usernames and passwords. The target host is typically chosen at random. If a weak password exists on any user account configured on the device, the password may be guessed. When this occurs, the attacker is able to access the system with the permissions assigned to the compromised account. Once the target host is compromised, the attacker may install and run new processes on the target host. These processes may gather information and send it to the attacking host, or may allow the target host to be used as an automated bot to attack other systems in the vicinity or on the public internet.

Note: For more information about recent increases in automated brute force attack activity, refer to the information published by independent security organizations such as the SANS Internet Storm Center.

If you see unexpected processes running on a system, a system is unexpectedly connecting to other systems on your network or the internet, or you cannot log into a system, the system may have been compromised. For example, F5 customers have recently reported the following symptoms on compromised systems:

• The output of the netstat command displays a large number of SSH connections in various TCP states

• The system log files contain a large number of failed login messages for the same account, referencing various source IP addresses from around the world:

sshd(pam_unix)[15648]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP_addr1>  user=root
sshd(pam_unix)[15648]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP_addr2>  user=root
sshd(pam_unix)[15648]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP_addr3>  user=root
...

• The output of the ps command displays a large number of processes named /tmp/dd_ssh run by the user root:

root      5535  0.0  0.0  2960  832 ?        S    21:24   0:00  \_ /tmp/dd_ssh 200 192.0.2.20 2
root      5547  0.0  0.0  2960  828 ?        S    21:24   0:00  \_ /tmp/dd_ssh 200 192.0.2.20 2
root      5548  0.0  0.0  2960  828 ?        S    21:24   0:00  \_ /tmp/dd_ssh 200 192.0.2.20 2
root      5549  0.0  0.0  2960  828 ?        S    21:24   0:00  \_ /tmp/dd_ssh 200 192.0.2.20 2
...

Remedial actions

If you suspect your BIG-IP system has been compromised, F5 recommends the following remedial measures:

• If you are able to access the system, log in and perform the following actions:
  • Kill the processes believed to be started by the compromise.
  • Change the passwords for the compromised account and all other administrative users following the recommended guidelines for strong passwords.
• Regardless of whether you are able to log into the system, perform the following actions as soon as possible:
  • Perform a clean re-installation of the BIG-IP system software
  • Perform a comprehensive security audit of all other networking devices, servers and workstations on the network (regardless of vendor or manufacturer) for compromised accounts, suspicious processes, or weak passwords.

Mitigation actions

There is no way to completely prevent brute force password attacks against any system on the public internet. However, it is possible to mitigate the risk of such attacks. The following actions will significantly assist in reducing the risk of a brute force password attack against any system. F5 recommends you consider these options when configuring your F5 system and any systems to which it can connect:

• Choose suitable passwords
• Restrict access to minimum required for administration
• Monitor login attempts
• Administratively disable unused accounts
  

Choose suitable passwords

Strong passwords are necessary to mitigate automated brute force login attacks. Wikipedia provides some helpful information regarding Guidelines for strong passwords.

Restrict access to minimum required for administration

Administrative access should be limited only to those IP addresses from which the system is to be administered. F5 recommends the following configuration:

• Use only the management IP address to configure the system
• Restrict access to the management IP address to those IP addresses from which the system is to be administered
• Restrict access to all other IP addresses configured on the system. For example, configure the Port Lockdown option to prevent administrative access to Self IP addresses configured on your BIG-IP or Enterprise Manager system
  
  Note: For more information about the Port Lockdown setting, refer to SOL7317: Overview of port lockdown behavior.

In addition, firewall access control lists (ACLs) should be configured in the networks surrounding your systems which limit access to administrative IP addresses to only the addresses from which administrative sessions should originate.

Monitor login attempts

You can monitor attempts to log into the system using the information provided in SOL10261: Monitoring login attempts. Be suspicious of successful logins from unrecognized source IP addresses.

Beginning in BIG-IP version 10.2.0, you can view the number of failed login attempts for each user by logging into the BIG-IP Configuration utility and browsing to the Account Security section of the System > Users : User List  <username> screen. The information displayed indicates whether the user failed a sufficient number of login attempts to be locked out of the system. Locked out users must contact the BIG-IP system administrator to have accessibility reinstated.

Important: System administrators can set the maximum number of login failures on the User > Authentication screen. However, setting this option is not recommended: A brute force login attack may lock you out of the system with no alternative administrative access, even if the system is not compromised.

Administratively disable unused accounts

If an account is not actively in use, it should be disabled to prevent any possibility of inappropriate use.