SSH Brute Force attacks
A little while ago I asked for some SSH logs and as per usual people responded with gusto. So first of all thanks to all of those that provided logs, it was very much appreciated. Looking through the data it does look like everything is pretty much the same as usual. Get a userid, guess with password1, password2, password3, etc.
One variation did show. One of the log files showed that instead of the password changing the userid was changed. So pick a password and try it with userid1, userid2, userid3, etc, then pick password2 and rinse lather and repeat. Some of the other log files may have showed the same, but not all log files had userid and passwords available.
A number of the IP addresses showed that they were using the same password list, indicating that either they were being generated by the same tool or might be part of the same bot net. Quite a few IP addresses showed up in different logs submitted.
The most common userids were, not unexpectedly, root, admin, administrator, mysql, oracle, nagios. A few more specific userids do creep in, but most are the standard ones.
So not earth shattering or even mildly surprising, but sometimes it is good to know that things haven't changed, much.
As for the attacking IPs. You can find the unique IP addresses performing SSH attacks here http://www.shearwater.com.au/uploads/files/MH/SSH_attacking_IPs.txt
A number of the logs were provided by the kippo SSH honeypot, which looks like it is well worth running if you want to collect your own info.
Thanks again and if I manage to dig out anything further I'll keep you up to date.
Mark
Comments
CN=910;
US=556;
AE=370;
DE=353;
TR=300;
RU=221;
RO=194;
KR=188;
IT=134;
BR=131;
Ken
Aug 2nd 2011
1 decade ago
Stephen
Aug 2nd 2011
1 decade ago
At a minimum, my Internet-facing SSH services run on non-standard ports, have password authentication disabled and are guarded by fail2ban. I see very few attacks and collect almost no interesting data as a result.
Patrick W. Barnes
Aug 2nd 2011
1 decade ago
AllowGroups sshers
BJ
Aug 2nd 2011
1 decade ago
MrDonT
Aug 2nd 2011
1 decade ago
2) otherwise require ssh connections from outside of the network to be tunneled through vpn or ipsec
Jim
Aug 2nd 2011
1 decade ago
mac
Aug 3rd 2011
1 decade ago
PhilHagen
Aug 3rd 2011
1 decade ago
Peter P
Aug 3rd 2011
1 decade ago