Re: significant incoming SSH volume

[John Kristoff <jtk () CYMRU COM>]

On Tue, 16 Mar 2010 16:07:29 -0400
Justin Sipher <jsipher () SKIDMORE EDU> wrote:

> Hello all.  We have seen a drastic uptick in recent days for inbound
> SSH connections to many of our servers.  These connection are
> attempting to connect to our servers as ROOT and are coming from IP
> addressed appearing to be mostly overseas.  They number in the
> thousands of connections.  While we are confident in the strength of
> our passwords, as you know with enough effort.......

Ongoing SSH password authentication brute force attacks have been
occurring pretty regularly from my vantage point.

Here is a relative summary of SYN packets to port 22 on some darknet
space over the past few days:

  2010-03-15  |  208
  2010-03-14  |   86
  2010-03-13  |  235
  2010-03-12  |  546
  2010-03-11  |   19
  2010-03-10  |  119

One a specific SSH host, here are the number of password authentication
attempts over the past few days:

  2010-03-15  |  153
  2010-03-14  | 9534
  2010-03-13  |   93
  2010-03-12  |  134
  2010-03-11  |   22
  2010-03-10  |   15

I often see sources from the Asia Pacific region.  Here are the counts
for that outlier on the 14th:

  count   saddr              CC    ASN
   8305   60.248.152.55      TW    HINET
   1210   121.10.177.166     CN    CHINANET
     19   112.122.9.105      CN    CNCGROUP

Top account names attempted:

   1407 root
     38 test
     31 admin
     23 user
     21 guest
     19 mysql
     17 paul
     17 oracle
     17 john
     17 info

Coincidentally, here are the top passwords attempted in that sample:

    841 123456
    356 password
    298 123
    280 12345
    280 1234
     95 qwerty
     92 1q2w3e
     91 testing
     91 qazwsx
     90 backup

Depending on where your hosts are in the address space, some days
you'll see a lot, others fewer attempts.  You often will see hosts
hitting you that I won't see.

> Are you doing anything to address this?  We are contemplating
> blocking SSH inbound on our firewall and requiring any external SSH
> connection to first connect to our VPN.  In some ways it seems
> excessive and maybe even unsustainable.  On the other hand,
> protecting our servers is important as you well know.

To me, SSH is my VPN since it performs essentially the same function
for me.  While anonymous VPN brute forcing may be less popular, if all
it is is id and password authentication, you haven't fixed much.  We
have seen VPN account theft, particularly in .edu's too.

With ssh, if you can, use public key authentication or tie in some sort
of two-factor authentication. You will practically eliminate the problem
of random brute force password authentication attempts.  If you cannot
do that, monitor your logs/logins carefully, ensure strong passwords
are in use and run your own password cracking attempts on them.

John