Educause Security Discussion mailing list archives

Re: SSH dictionary attack dictionary

From: John Kristoff <jtk () DEPAUL EDU>
Date: Tue, 11 Aug 2009 10:48:01 -0500

On Mon, Aug 10, 2009 at 03:57:49PM -0700, Andrew Daviel wrote:

Ever wondered what passwords those annoying SSH dictionary attacks were
trying ? At some point I modified sshd to collect failed passwords.

In 2006 I saw some 200 attempts against root and basically 1 each against
a "baby's first name" list with username=password.


Hi Andre.  I've been involved in a project that has been doing this
too (among other things).  I've seen brute force attempts from a single
host lasting more than a day and many of the passwords have not been
dictionary words.  I hope people pay attention to this, because it
really does elevate the benefit of avoiding passwords (I use keys
myself, but I know its not always easy for the average user).

Recently I saw some 600 against root, and a dozen each against other
common accounts like "sales", "helpdesk" etc.


Only 600?  :-)

FYI you may be interested in this:

  <http://sock-raw.org/papers/openssh_library>

John

Current thread:

SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)