Distributed SSH Brute Force Attempts on the rise again
SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next. This is certainly not a new phenomenon, however I think it is a good time to raise awareness about it once again. 
Reader xemaps wrote in with this log snippet:
"Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user."
Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x
Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x
Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x
Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x
Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x
Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x
Reader Ingvar wrote in with a similar pattern:
"On my home system I have seen these login attempts that start with user "aaa" and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day."
Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x 
Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x 
Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x 
Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x 
Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x 
Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x 
Last year ISC Handler Rick wrote up a diary for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:
- Deploy the SSH server on a port other than 22/TCP
- Deploy one of the SSH brute force prevention tools
- Disallow remote root logins
- Set PasswordAuthentication to "no" and use keys
- If you must use passwords, ensure that they are all complex
- Use AllowGroups to limit access to a specific group of users
- Use as a chroot jail for SSH if possible
- Limit the IP ranges that can connect to SSH
If you have any comments, additional examples of safeguards, or additional information please let us know here.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc. 
 
 
              
Comments
nate
Jun 18th 2010
1 decade ago
The nice thing about this attack though, is that it should be easy to compile a comprehensive list of infected hosts and go about getting people to fix them.
Steven Chamberlain
Jun 18th 2010
1 decade ago
Jonathan
Jun 18th 2010
1 decade ago
James
Jun 18th 2010
1 decade ago
the real solution is to get people to fix their broken security, which led to the attempts in the first place.
joeblow
Jun 18th 2010
1 decade ago
While changing your port should not be the only step taken to protect your systems, it does reduce your surface area by eliminating the potential of most of the automated scripts. Why would you not want to reduce your surface area if it's as trivial as using a different port (depending on your situation)?
I would also be surprised that the writers of PCI would recommend such a "hack" if it was indeed so.
Also, the "real solution" that you propose is generally outside of your control, while the configuration of your systems is well within your control. What you're proposing is akin to saying "We should not have a police force because the real solution is to get everyone to just follow the law."
coolhandluke
Jun 18th 2010
1 decade ago
joeblow
Jun 18th 2010
1 decade ago
jtwaldo
Jun 18th 2010
1 decade ago
Thus running SSH on a non-standard port is much more than just "security through obscurity," it's one more layer that can give you the edge on an attacker.
jtanium
Jun 18th 2010
1 decade ago
Daniel M.
Jun 18th 2010
1 decade ago