Educause Security Discussion mailing list archives

Re: SSH dictionary attack dictionary

From: Bob Bayn <bob.bayn () USU EDU>
Date: Tue, 11 Aug 2009 10:01:55 -0600

We had a radius server that showed us some similar "dictionary attacks"
since it logged all bad password attempts.  At the time we had very minimal
password complexity requirements and common passwords in use here
included "123456" and "aggies".  I recall about three common, easily 
recognizable strategies from perusing those logs:

1) for usernames that were obviously gleaned from email lists, they
would hit with about 600 common passcodes.  They tried their list
alphabetically and we could tell if they made a hit because they didn't
get to the end of the list.  Curiously, "aggies" didn't seem to be in their
list, although "123456" was.

2) root/admin type usernames with all our other real usernames as
passwords.

3) username=password for lots of common usernames (whether they
were in use here or not)

Also, we watch our VPN logs for successful connections from out of the 
country (usually Chinese IPs) and contact the user to see if they really
are in that country (which was true about 1% of the time).  These events
have become quite rare in the past year, since we enforced new 
password complexity rules and raised awareness.

Bob Bayn        (435)797-2396      Security Team coordinator
Power off your desktop after hours to thwart network probes.
Office of Information Technology   at  Utah State University
________________________________________

On Mon, Aug 10, 2009 at 03:57:49PM -0700, Andrew Daviel wrote:

Ever wondered what passwords those annoying SSH dictionary attacks were
trying ? At some point I modified sshd to collect failed passwords.

In 2006 I saw some 200 attempts against root and basically 1 each against
a "baby's first name" list with username=password.


John Kristoff [jtk () DEPAUL EDU] replied:
Hi Andre.  I've been involved in a project that has been doing this
too (among other things).  I've seen brute force attempts from a single
host lasting more than a day and many of the passwords have not been
dictionary words.  I hope people pay attention to this, because it
really does elevate the benefit of avoiding passwords (I use keys
myself, but I know its not always easy for the average user).

Recently I saw some 600 against root, and a dozen each against other
common accounts like "sales", "helpdesk" etc.


Only 600?  :-)

FYI you may be interested in this:

  <http://sock-raw.org/papers/openssh_library>

John

Current thread:

SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)