Educause Security Discussion mailing list archives
Re: SSH dictionary attack dictionary
From: Bob Bayn <bob.bayn () USU EDU>
Date: Tue, 11 Aug 2009 10:01:55 -0600
We had a radius server that showed us some similar "dictionary attacks" since it logged all bad password attempts. At the time we had very minimal password complexity requirements and common passwords in use here included "123456" and "aggies". I recall about three common, easily recognizable strategies from perusing those logs: 1) for usernames that were obviously gleaned from email lists, they would hit with about 600 common passcodes. They tried their list alphabetically and we could tell if they made a hit because they didn't get to the end of the list. Curiously, "aggies" didn't seem to be in their list, although "123456" was. 2) root/admin type usernames with all our other real usernames as passwords. 3) username=password for lots of common usernames (whether they were in use here or not) Also, we watch our VPN logs for successful connections from out of the country (usually Chinese IPs) and contact the user to see if they really are in that country (which was true about 1% of the time). These events have become quite rare in the past year, since we enforced new password complexity rules and raised awareness. Bob Bayn (435)797-2396 Security Team coordinator Power off your desktop after hours to thwart network probes. Office of Information Technology at Utah State University ________________________________________ On Mon, Aug 10, 2009 at 03:57:49PM -0700, Andrew Daviel wrote:
Ever wondered what passwords those annoying SSH dictionary attacks were trying ? At some point I modified sshd to collect failed passwords. In 2006 I saw some 200 attempts against root and basically 1 each against a "baby's first name" list with username=password.
John Kristoff [jtk () DEPAUL EDU] replied: Hi Andre. I've been involved in a project that has been doing this too (among other things). I've seen brute force attempts from a single host lasting more than a day and many of the passwords have not been dictionary words. I hope people pay attention to this, because it really does elevate the benefit of avoiding passwords (I use keys myself, but I know its not always easy for the average user).
Recently I saw some 600 against root, and a dozen each against other common accounts like "sales", "helpdesk" etc.
Only 600? :-) FYI you may be interested in this: <http://sock-raw.org/papers/openssh_library> John
Current thread:
- SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)