Shyam Mani (fox2mike) wrote,
Shyam Mani
fox2mike

  • Mood:

Brute force attempts over SSH

Somewhere around July 2004, there was this nuisance script that attempted to break into machines running sshd. All the script did was try to log in to machines that weren't secure enough like for example if you had an account with guest/guest as username & password or if you were dumb enough to not set passwords at all, you could be in a spot of bother.

Then, somewhere along the line, the script just became better. What started with the standard guest/guest, root/root, admin/admin grew up to trying out other username and password combinations, found more foolish people on the Internet and started keeping track of the new additions.


The log entries on your machine during an attack would be something like :

Dec 13 07:50:54 [sshd] Invalid user tei from 66.221.168.9
Dec 13 07:50:57 [sshd] Invalid user cherry from 66.221.168.9
Dec 13 07:51:01 [sshd] Invalid user nmap from 66.221.168.9
Dec 13 07:51:04 [sshd] Invalid user perl from 66.221.168.9
Dec 13 07:51:07 [sshd] Invalid user elaine from 66.221.168.9


From my sshd logs between May 2005 & today, I've had 2930 unique usernames trying to login from abigale to annette, david to takahashi. If you're curious, all the 2930 are up in alphabetical order here.

The attacks originated from the following addresses.

To be on the safe side :

  1. Don't have dumb accounts even for a small amount of time. A dumb account would be one with the username as the password.

  2. Don't run sshd unless you really need it.

  3. Use key based authentication only as far as possible. This eliminates the need for passwords and there is no chance of a brute force attack succeeding.

  4. Never have blank passwords.

  5. Run sshd on a non-standard port if you can afford to.


More info on ssh -> http://en.wikipedia.org/wiki/Secure_Shell

Update : Found a nice wiki page on this -> http://wiki.clug.org.za/clugwiki/index.php/Defending_Against_Brute_Force_SSH_Attacks
Tags: security, ssh, tech
Subscribe
  • Post a new comment

    Error

    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded 

  • 5 comments