FYI...SSH brute force attempts on the rise again
Last Updated: 2010-06-18 12:32:51 UTC - "SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s)
. It only takes a single user with a weak password for a breach to occur
, then with that foothold escalation and further attacks are likely next...
Reader xemaps wrote in with this log snippet:
"Whole day my server has been targeted by a botnet
, attacker also changed ip each new dictionary user."
Jun 17 23:02:03 pro sshd: Invalid user mailer from 217.37.x.x
Jun 17 23:03:24 pro sshd: Invalid user mailer from 87.66.x.x
Jun 17 23:05:27 pro sshd: Invalid user mailman from 89.97.x.x
Jun 17 23:09:30 pro sshd: Invalid user mailtest from 62.2.x.x
Jun 17 23:15:44 pro sshd: Invalid user maker from 83.236.x.x
Jun 17 23:16:47 pro sshd: Invalid user mama from 84.73.x.x
Reader Ingvar wrote in with a similar pattern:
"On my home system
I have seen these login attempts that start with user "aaa" and goes on alphabetically from over 1000 different hosts around the world
(judging from the DenyHosts reports). Normally I only see single-digit attempts per day."
Jun 17 02:14:56 MyHost sshd: error: PAM: authentication error for illegal user aaa from 151.100.x.x
Jun 17 02:23:11 MyHost sshd: error: PAM: authentication error for illegal user aabakken from 150.254.x.x
Jun 17 02:24:57 MyHost sshd: error: PAM: authentication error for illegal user aapo from 173.33.x.x
Jun 17 02:35:23 MyHost sshd: error: PAM: authentication error for illegal user abakus from 121.160.x.x
Jun 17 02:37:32 MyHost sshd: error: PAM: authentication error for illegal user abas from 190.200.x.x
Jun 17 02:38:18 MyHost sshd: error: PAM: authentication error for illegal user abc from 193.251.x.x
Last year ISC Handler Rick wrote up a diary* for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:
• Deploy the SSH server on a port other than 22/TCP
• Deploy one of the SSH brute force prevention tools
• Disallow remote root logins
• Set PasswordAuthentication to "no" and use keys
• If you must use passwords, ensure that they are all complex
• Use AllowGroups to limit access to a specific group of users
• Use as a chroot jail for SSH if possible
• Limit the IP ranges that can connect to SSH ..."
- http://isc.sans.edu/port.html?port=22MORE INFO
Last Updated: 2010-06-18 17:05:49 UTC
Edited by apluswebmaster, 18 June 2010 - 12:53 PM.