Educause Security Discussion mailing list archives
SSH dictionary attack dictionary
From: Andrew Daviel <advax () TRIUMF CA>
Date: Mon, 10 Aug 2009 15:57:49 -0700
Ever wondered what passwords those annoying SSH dictionary attacks were trying ? At some point I modified sshd to collect failed passwords. In 2006 I saw some 200 attempts against root and basically 1 each against a "baby's first name" list with username=password. Recently I saw some 600 against root, and a dozen each against other common accounts like "sales", "helpdesk" etc. http://andrew.triumf.ca/ssh_pass_file2.html A selection of attempts for root (is yours listed ?) : m4r1b0r0 q1w2e3r4t5y6 1qaz2wsx3edc m1tn1ck comeonletmein 2borNOT2b opensesame p1a2s3s4w5o6r7d8 l1nuxb0x l3tm31ns1de I used to think these attempts were harmless given the throttling used by sshd, until we had a test server hit that was using "qazwsxedc". suggested mitigations include moving SSH off of port 22, dynamic blocking of guessing hosts (our approach), disabling password logins for root (but allowing keys), tunnelling everything through VPNs etc. etc. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
(Thread continues...)