SSH Password Brute Forcing may be on the Rise

Published: 2011-12-04. Last Updated: 2011-12-04 23:26:51 UTC
by Guy Bruneau (Version: 1)
9 comment(s)

We have received a report of ongoing SSH account brute forcing against root. This activity has been ongoing for about a week now from various IPs. I have also noticed similar activity against one of my server ongoing since mid November from different IPs. A review of the DShield data, shows a spike can easily be observed starting 15 Nov and has been up/down ever since.

  

I got this report on the 2011-11-27 from one IP that ran over 2000 attempt to "break-in"

Source                Port List     Count

xx.yyy.209.73    -> 22             2025

Some Defensive Tips (Thanks Swa)

- Never allow root to log in, no matter what: always login in as a regular user and then use su/sudo as needed.
- Change port number: why go stand in the line of fire ?
- Disallow password authentication (use keys)

In addition to the above, you should also consider using TCP Wrappers with the SSH service to limit access to only those addresses that need access.

Another application that can also help protect your SSH service is fail2ban [1], it will ban IPs that makes too many password failures. It updates firewall rules to reject the IP address.

Have you been seeing similar activity?

[1] http://www.fail2ban.org/wiki/index.php/Main_Page

[2] ftp://ftp.porcupine.org/pub/security/index.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: Brute Force ssh
9 comment(s)

Comments

Have see this rise of SSH scans :

http://eromang.zataz.com/2010/05/15/suc015-potential-ssh-scan/

Regards
I only see a rise is SSH attacks on my honeypot. Though some of the data is invaluable to my research, for the most part it is just plain entertainment watching all the script kiddies download their flood bots, and bnc scripts...really, it is. One dummy even downloaded WinXP SP3 to a Linux box...that was a good laugh for me.
I have set up numerous Linux boxes with internet-facing SSH. In each case, the SSH brute force attacks arrive within the first week. I have started blocking port 22 at the firewall and using VPN to cross.
I haven't seen much more than usual on my honeypots for SSH attacks. Here is my monthly graphs of attacks:

http://honeypot.jayscott.co.uk/statistics/monthly/

The current months graph can be found on the main page:

http://honeypot.jayscott.co.uk/
Jeff,

Just to add, I think the reason they download the WinXP SP3 patch is for testing bandwidth speeds, unless of course they then try to run it ;-)
I do not use open SSH so no attempts on my side, but I can tell you one thing.. Every year, the target is Christmas and New Years when all of that collected data is used to wreak havoc on the Internet world. More network spread infections are detected during the later part of December and early January each year than at any other time. The reason is simple! Everyone is out so the mice will play! Set up a good mouse trap and you'll land a big rat :-)
Its more that just that everybody is out at Christmas; consumers get new PC's that have been sitting on warehouse shelves and missed several updates. Bad guys exploit these out of date systems to grow their botnets.
Yes very true on that. Between both of these prime situations the bot herders are on a rampage to acquire new bots and also entire networks to gather data from for various reasons. Either way we all get busy around this time of year, and not because of holiday shopping. Other than retail, I think we are the only sector that has higher income around the holidays, with perhaps the exception of health care.
I use fwknop so i dont need to open the port i just send an spa packet to autenticate access to the requested port i want.

http://www.cipherdyne.org/fwknop/

Diary Archives