SSH bruteforce break attempts made to my personal server

This is just a quick post to show you why you must at least try to configure properly you ssh servers. Today, reading my server logs I realized a big number of login failures into my server and I thought about collecting some numbers about these attempts.

All login attempts have the same signature on the logs, it’s something like this:

Apr 19 23:33:20 li292-237 sshd[25190]: Invalid user <username> from <IP Address>

Each entry with a different username and possibly a different origin IP. A quick wc -l on the string Invalid user returns 197243 lines.

daltonmatos@jetta ~/ [10]$ grep -i "invalid user" messages | wc -l
197243
daltonmatos@jetta ~/ [11]$

From all these, there are 32175 unique username

daltonmatos@jetta ~/ [13]$ grep -i "invalid user" messages | awk '{print $8}' | sort | uniq | wc -l
32175
daltonmatos@jetta ~/ [14]$

and 669 unique IP Addresses.

daltonmatos@jetta ~/ [16]$ grep -i "invalid user" messages | awk '{print $10}' | sort | uniq | wc -l
669
daltonmatos@jetta ~/ [17]$

The 10 most common usernames were:

daltonmatos@jetta ~/ [25]$ grep -i "invalid user" messages | awk '{print $8}' | ./count.py | sort -k 2 -n -r | head -10
test 3099
oracle 2901
admin 2869
guest 1596
nagios 1459
postgres 1229
user 1174
mysql 1030
ftp 754
temp 592
daltonmatos@jetta ~/ [26]$

p.s. Here is the code for count.py, if you are curious. =) https://gist.github.com/2333049

The same approach cane be applied to know the IP’s involved in the attacks and here are the top 10 (just the number of hits from each IP):

daltonmatos@jetta ~/ [27]$ grep -i "invalid user" messages | awk '{print $10}' | ./count.py | sort -k 2 -n -r | head -10
19332
16498
10844
9109
7283
5860
5288
4482
4343
4270
daltonmatos@jetta ~/ [28]$

Running a whois on the IP’s show me that the attacks comes from many different places including: China, Japan, Nigeria and US.

All attempts were made between April 2011 and April 2012. What I want to show you is that you need to take care of your ssh server configuration because one of these attempts could be successful. The first thing I do with any new ssh server is to disable login/password authentication and only accept ssh keys authentication. This is already a good start. =)

Thanks for reading.

Update: My great friend Denilson just pointed out that count.py has the very same effect of uniq -c. Thanks for the tip!

About these ads

, , , , ,

  1. #1 por Renato L. Morais em 10/05/2014 - 15:20

    you might as well put in your passwd a false shell to these users.

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s

Seguir

Obtenha todo post novo entregue na sua caixa de entrada.

%d blogueiros gostam disto: