Log in

No account? Create an account

Previous Entry | Next Entry

Brute force attempts over SSH

Somewhere around July 2004, there was this nuisance script that attempted to break into machines running sshd. All the script did was try to log in to machines that weren't secure enough like for example if you had an account with guest/guest as username & password or if you were dumb enough to not set passwords at all, you could be in a spot of bother.

Then, somewhere along the line, the script just became better. What started with the standard guest/guest, root/root, admin/admin grew up to trying out other username and password combinations, found more foolish people on the Internet and started keeping track of the new additions.

The log entries on your machine during an attack would be something like :

Dec 13 07:50:54 [sshd] Invalid user tei from
Dec 13 07:50:57 [sshd] Invalid user cherry from
Dec 13 07:51:01 [sshd] Invalid user nmap from
Dec 13 07:51:04 [sshd] Invalid user perl from
Dec 13 07:51:07 [sshd] Invalid user elaine from

From my sshd logs between May 2005 & today, I've had 2930 unique usernames trying to login from abigale to annette, david to takahashi. If you're curious, all the 2930 are up in alphabetical order here.

The attacks originated from the following addresses.

To be on the safe side :

  1. Don't have dumb accounts even for a small amount of time. A dumb account would be one with the username as the password.

  2. Don't run sshd unless you really need it.

  3. Use key based authentication only as far as possible. This eliminates the need for passwords and there is no chance of a brute force attack succeeding.

  4. Never have blank passwords.

  5. Run sshd on a non-standard port if you can afford to.

More info on ssh -> http://en.wikipedia.org/wiki/Secure_Shell

Update : Found a nice wiki page on this -> http://wiki.clug.org.za/clugwiki/index.php/Defending_Against_Brute_Force_SSH_Attacks



( 5 comments — Leave a comment )
Dec. 13th, 2005 07:27 pm (UTC)
There is a set of scripts called denyhosts in portage that ban IPs after a specified number of failed login attempts. Also, you can use johntheripper to check your password file for weak passwords.
Dec. 13th, 2005 10:01 pm (UTC)
Don't have dumb accounts even for a small amount of time. A dumb account would be one with the username as the password.
How about an account with the password as the username?

Dec. 14th, 2005 01:51 am (UTC)
Dec. 14th, 2005 06:18 am (UTC)
I've noticed firewall hits from scanning bots that try the more obscure ssh alternate ports for a year now. It's also a very good idea to utilize iptables for filtering unwanted data and connections.

Dec. 15th, 2005 08:15 pm (UTC)
fail2ban does what the first poster describes, and it's already in the tree as well.


Aaron Kulbe
( 5 comments — Leave a comment )

Latest Month

July 2009


Page Summary

Powered by LiveJournal.com
Designed by Lilia Ahner