SSH Server "Time to Live"? Less than a cup of coffee!

Published: 2017-11-08
Last Updated: 2017-11-08 14:32:43 UTC
by Rob VandenBrink (Version: 2)
12 comment(s)

After the stories I posted last week on SSH, I had some folks ask me about putting an SSH server on the public internet - apparently lots of lots of folks still think that's a safe thing to do.

Shodan lists 15 million such trusting souls:

OK - so can 15 million people be wrong? In a word, yes.  I put an SSH / SCP server up for a few minutes yesterday, for a quick file transfer.  For kicks, I left it up for a few minutes after I send myself the files, and had a coffee while I watched the logs.  And yu-u-u-p, I had several IP's brute forcing against my SSH service within 10 minutes of the server being online.

 

These are all automated attack engines, but they are taking the Mirai approach of using well known / default credentials to attempt to login - exactly lke the Mirai botnet, except over SSH rather than telnet.  I'll refer you again to http://www.defaultpassword.com  and any number of other sites that have default credentials listed.  "Common password" lists such as "the worst 500 passwords" or even comprehensive lists like the RockYou list, with transforms such as "add "99! or "!!"" to the end" are also surprisingly successful.  I have to say that I got domain admin this week from some LinkedIn OSINT, an open SSH server and "456789" as a password.

Anyway, the "safe" time to live for an SSH server on the public internet really is minutes these days - in my case less than a cup of coffee.  Look at your logs - the wolf has been at your door since the day you put that server online.  If you are still seeing brute force attempts against your server, that's no guarantee that someone else hasn't already succeeded.  Time to put your SSH server behind a VPN, preferably a VPN with multifactor authentication!

 

===============
Rob VandenBrink
Compugen

Keywords:
12 comment(s)
ISC Stormcast For Wednesday, November 8th 2017 https://isc.sans.edu/podcastdetail.html?id=5746

Comments


Diary Archives