Educause Security Discussion mailing list archives

SSH dictionary attack dictionary

From: Andrew Daviel <advax () TRIUMF CA>
Date: Mon, 10 Aug 2009 15:57:49 -0700

Ever wondered what passwords those annoying SSH dictionary attacks were
trying ? At some point I modified sshd to collect failed passwords.

In 2006 I saw some 200 attempts against root and basically 1 each against
a "baby's first name" list with username=password.

Recently I saw some 600 against root, and a dozen each against other
common accounts like "sales", "helpdesk" etc.

http://andrew.triumf.ca/ssh_pass_file2.html

A selection of attempts for root (is yours listed ?) :
m4r1b0r0
q1w2e3r4t5y6
1qaz2wsx3edc
m1tn1ck
comeonletmein
2borNOT2b
opensesame
p1a2s3s4w5o6r7d8
l1nuxb0x
l3tm31ns1de

I used to think these attempts were harmless given the throttling used by
sshd, until we had a test server hit that was using "qazwsxedc".


suggested mitigations include moving SSH off of port 22, dynamic blocking
of guessing hosts (our approach), disabling password logins for root
(but allowing keys), tunnelling everything through VPNs etc. etc.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Current thread:

SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)

(Thread continues...)