Re: SSH dictionary attack dictionary

[Louis Anthony Arminio <Lou.Arminio () NAU EDU>]

Interesting research, but aren't you worried about storing passwords (even incorrect ones) in clear text?  Passwords 
sometimes get mistyped so there are probably close-to-real passwords in your log that could be used to guess good ones. 
 

--
Lou Arminio
Senior Information Security Analyst
Northern Arizona University
Information Technology Services
1300 S Knoles Dr, NAU Box 5100
Flagstaff, Arizona 86011
Ph:(928) 523-6462
Fax:(928) 523-7407


-----Original Message-----
From: Andrew Daviel [mailto:advax () TRIUMF CA] 
Sent: Monday, August 10, 2009 3:58 PM
Subject: SSH dictionary attack dictionary

Ever wondered what passwords those annoying SSH dictionary attacks were 
trying ? At some point I modified sshd to collect failed passwords.

In 2006 I saw some 200 attempts against root and basically 1 each against 
a "baby's first name" list with username=password.

Recently I saw some 600 against root, and a dozen each against other 
common accounts like "sales", "helpdesk" etc.

http://andrew.triumf.ca/ssh_pass_file2.html

A selection of attempts for root (is yours listed ?) :
m4r1b0r0
q1w2e3r4t5y6
1qaz2wsx3edc
m1tn1ck
comeonletmein
2borNOT2b
opensesame
p1a2s3s4w5o6r7d8
l1nuxb0x
l3tm31ns1de

I used to think these attempts were harmless given the throttling used by 
sshd, until we had a test server hit that was using "qazwsxedc".


suggested mitigations include moving SSH off of port 22, dynamic blocking 
of guessing hosts (our approach), disabling password logins for root 
(but allowing keys), tunnelling everything through VPNs etc. etc.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager