SSH Brute Force attacks

Published: 2011-08-02
Last Updated: 2011-08-02 14:42:02 UTC
by Mark Hofman (Version: 1)
9 comment(s)

A little while ago I asked for some SSH logs and as per usual people responded with gusto. So first of all thanks to all of those that provided logs, it was very much appreciated.  Looking through the data it does look like everything is pretty much the same as usual. Get a userid, guess with password1, password2, password3, etc. 

One variation did show.  One of the log files showed that instead of the password changing the userid was changed. So pick a password and try it with userid1, userid2, userid3, etc, then pick password2 and rinse lather and repeat. Some of the other log files may have showed the same, but not all log files had userid and passwords available. 

A number of the IP addresses showed that they were using the same password list, indicating that either they were being generated by the same tool or might be part of the same bot net.  Quite a few IP addresses showed up in different logs submitted. 

The most common userids were, not unexpectedly, root, admin, administrator, mysql, oracle, nagios. A few more specific userids do creep in, but most are the standard ones.

So not earth shattering or even mildly surprising, but sometimes it is good to know that things haven't changed, much.

As for the attacking IPs. You can find the unique IP addresses performing SSH attacks here http://www.shearwater.com.au/uploads/files/MH/SSH_attacking_IPs.txt

A number of the logs were provided by the kippo SSH honeypot, which looks like it is well worth running if you want to collect your own info.

Thanks again and if I manage to dig out anything further I'll keep you up to date. 

Mark

Keywords: brute force SSH
9 comment(s)

Comments

For the heck of it I ran those IPs through a script that looks up IPv4 addresses in the World IP DB (www.wipmania.com). The top two results aren't too surprising; they reconfirm my decision to blackhole China at home. The Emirates at #3 seems unusual. Here are the top 10 countries by number of IPs in the SSH_attacking_IPs.txt file:

CN=910;
US=556;
AE=370;
DE=353;
TR=300;
RU=221;
RO=194;
KR=188;
IT=134;
BR=131;
If one uses keys only, are people still seeing attempts at brute forcing, or is the cracking software smart enough to detect that a password is not asked for and moves on?
@Stephen: In most of the attacks I have seen, the bots keep trying even if password authentication is disabled.

At a minimum, my Internet-facing SSH services run on non-standard ports, have password authentication disabled and are guarded by fail2ban. I see very few attacks and collect almost no interesting data as a result.
I use firewalls, but it looks like one could block login attempts for 'service' accounts by using groups and this line in the sshd config:
AllowGroups sshers
I've been using a script called ssh_brute_blocker running under FreeBSD for about 6 years that bans the IPs. The one i run is a bit modified from what Michael L. Benjamin wrote back in the day. I believe the last release was in 2004 but it still the best i've used. Tried a few, even fail2ban, but allways end up with that old thingi.
2 methods that I use to combat this in different situations are: 1) If ssh has to be available directly from the internet, rate limit tcp syn packets to the ssh port on per source address basis using iptables/netfilter
2) otherwise require ssh connections from outside of the network to be tunneled through vpn or ipsec
You could also setup snort and snortsam to drop append your iptables fw with a drop rule for said ip.
Another tool to limit the effectiveness of brute forcing is BlockHosts. I've been feeding iptables with this tool for years, and it dropped login failures from 70-100k/day to <100/day. (Running SSH on a nonstandard port would generate more support calls than I care to field.). I've been impressed with the BlockHosts implementation, and definitely recommend taking a look.
With analysing the logs on my host I found that the scanning IP tend to pop up run a brute force attack then disappear for months then run the attack again. I also thought I would have constant stream of attacks but they come up in waves then all goes quite. The maximum I have seen in a week on a host on a DSL line was around 15 different IP’s. I was surprised that is was not more and weeks went by and I did not get one attack. I felt rather left out.

Diary Archives