Educause Security Discussion mailing list archives
Re: significant incoming SSH volume
From: John Kristoff <jtk () CYMRU COM>
Date: Tue, 16 Mar 2010 15:46:26 -0500
On Tue, 16 Mar 2010 16:07:29 -0400 Justin Sipher <jsipher () SKIDMORE EDU> wrote:
Hello all. We have seen a drastic uptick in recent days for inbound SSH connections to many of our servers. These connection are attempting to connect to our servers as ROOT and are coming from IP addressed appearing to be mostly overseas. They number in the thousands of connections. While we are confident in the strength of our passwords, as you know with enough effort.......
Ongoing SSH password authentication brute force attacks have been occurring pretty regularly from my vantage point. Here is a relative summary of SYN packets to port 22 on some darknet space over the past few days: 2010-03-15 | 208 2010-03-14 | 86 2010-03-13 | 235 2010-03-12 | 546 2010-03-11 | 19 2010-03-10 | 119 One a specific SSH host, here are the number of password authentication attempts over the past few days: 2010-03-15 | 153 2010-03-14 | 9534 2010-03-13 | 93 2010-03-12 | 134 2010-03-11 | 22 2010-03-10 | 15 I often see sources from the Asia Pacific region. Here are the counts for that outlier on the 14th: count saddr CC ASN 8305 60.248.152.55 TW HINET 1210 121.10.177.166 CN CHINANET 19 112.122.9.105 CN CNCGROUP Top account names attempted: 1407 root 38 test 31 admin 23 user 21 guest 19 mysql 17 paul 17 oracle 17 john 17 info Coincidentally, here are the top passwords attempted in that sample: 841 123456 356 password 298 123 280 12345 280 1234 95 qwerty 92 1q2w3e 91 testing 91 qazwsx 90 backup Depending on where your hosts are in the address space, some days you'll see a lot, others fewer attempts. You often will see hosts hitting you that I won't see.
Are you doing anything to address this? We are contemplating blocking SSH inbound on our firewall and requiring any external SSH connection to first connect to our VPN. In some ways it seems excessive and maybe even unsustainable. On the other hand, protecting our servers is important as you well know.
To me, SSH is my VPN since it performs essentially the same function for me. While anonymous VPN brute forcing may be less popular, if all it is is id and password authentication, you haven't fixed much. We have seen VPN account theft, particularly in .edu's too. With ssh, if you can, use public key authentication or tie in some sort of two-factor authentication. You will practically eliminate the problem of random brute force password authentication attempts. If you cannot do that, monitor your logs/logins carefully, ensure strong passwords are in use and run your own password cracking attempts on them. John
Current thread:
- significant incoming SSH volume Justin Sipher (Mar 16)
- <Possible follow-ups>
- Re: significant incoming SSH volume Joe Vieira (Mar 16)
- Re: significant incoming SSH volume Edgmand, Craig (Mar 16)
- Re: significant incoming SSH volume Michael Horne (Mar 16)
- Re: significant incoming SSH volume Joel Rosenblatt (Mar 16)
- Re: significant incoming SSH volume John Kristoff (Mar 16)
- Re: significant incoming SSH volume Mike Iglesias (Mar 16)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 16)
- Re: significant incoming SSH volume Russell Fulton (Mar 17)
- Re: significant incoming SSH volume Dexter Caldwell (Mar 17)
- Re: significant incoming SSH volume Miller, Don C. (Mar 18)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 18)
- Re: significant incoming SSH volume Scott Beardsley (Mar 19)