Posts Marcados ssh

SSH bruteforce break attempts made to my personal server

This is just a quick post to show you why you must at least try to configure properly you ssh servers. Today, reading my server logs I realized a big number of login failures into my server and I thought about collecting some numbers about these attempts.

All login attempts have the same signature on the logs, it’s something like this:

Apr 19 23:33:20 li292-237 sshd[25190]: Invalid user <username> from <IP Address>

Each entry with a different username and possibly a different origin IP. A quick wc -l on the string Invalid user returns 197243 lines.

daltonmatos@jetta ~/ [10]$ grep -i "invalid user" messages | wc -l
daltonmatos@jetta ~/ [11]$

From all these, there are 32175 unique username

daltonmatos@jetta ~/ [13]$ grep -i "invalid user" messages | awk '{print $8}' | sort | uniq | wc -l
daltonmatos@jetta ~/ [14]$

and 669 unique IP Addresses.

daltonmatos@jetta ~/ [16]$ grep -i "invalid user" messages | awk '{print $10}' | sort | uniq | wc -l
daltonmatos@jetta ~/ [17]$

The 10 most common usernames were:

daltonmatos@jetta ~/ [25]$ grep -i "invalid user" messages | awk '{print $8}' | ./ | sort -k 2 -n -r | head -10
test 3099
oracle 2901
admin 2869
guest 1596
nagios 1459
postgres 1229
user 1174
mysql 1030
ftp 754
temp 592
daltonmatos@jetta ~/ [26]$

p.s. Here is the code for, if you are curious. =)

The same approach cane be applied to know the IP’s involved in the attacks and here are the top 10 (just the number of hits from each IP):

daltonmatos@jetta ~/ [27]$ grep -i "invalid user" messages | awk '{print $10}' | ./ | sort -k 2 -n -r | head -10
daltonmatos@jetta ~/ [28]$

Running a whois on the IP’s show me that the attacks comes from many different places including: China, Japan, Nigeria and US.

All attempts were made between April 2011 and April 2012. What I want to show you is that you need to take care of your ssh server configuration because one of these attempts could be successful. The first thing I do with any new ssh server is to disable login/password authentication and only accept ssh keys authentication. This is already a good start. =)

Thanks for reading.

Update: My great friend Denilson just pointed out that has the very same effect of uniq -c. Thanks for the tip!

, , , , ,

1 comentário

Acessando os sites que você quiser no trabalho

Esse post mostra uma (dentre várias) formas de burlar os diversos bloqueios impostos por algumas empresas no que diz respeito a acesso à internet. Veremos uma forma bem simples e eficiente de navegar em sites que supostamente não poderíamos estar vendo. =)

Leia o resto deste post »

, ,

14 Comentários

Como burlar limitações de conectividade impostas por hoteis e afins

Muitas vezes estamos em locais públicos e que oferecem conexão com a internet. Em alguns locais essa conexão é paga, em outros é de graça mas possui limite de tempo de conexão e em outros é paga e limita o tempo de conexão. Veremos nesse post uma forma de extender nosso tempo de conexão quando necessário.

Leia o resto deste post »

, ,

10 Comentários