Analyzing Malicious SSH Login Attempts

Category: Comp

A recent article on SecurityFocus analyses the patterns in recent SSH login attacks.

Most of the results of this analysis were fairly unsuprising to anyone who runs a public-facing SSH server. root and various other system-level accounts are prime targets for attack, despite the fact that any competent sysadmin will have disabled remote logins for these accounts. I personally have seen repeated attacks looking for account names like lpd and harrypotter.

The analaysis of passwords used is also not suprising, with simple strings of numbers ("123456" or "11111") or letters ("password" or "admin") being common. I remember one NT system I was called to work on had a very weak password, "xxxxx". After one nasty break-in, I recommended changes, but was vetoed. Apparently, even a weak alphanumeric password would have been "too difficult" to remember. Thankfully, it wasn't my (or my employer's) system, but it was still quite disturbing.

Perhaps the most interesting news, if still mildly unsuprising, was the widespread use of IRC for remote control. IRC is often used for controlling compromised Windows systems, so it isn't a great logical leap. However, many sysadmins could easily block outgoing IRC requests at the firewall — a tactic that would make it much more difficult to use even an exploited system. Of course, that still doesn't truly mitigate the fact that your system has been compromised.

The sheer potential of these attacks is staggering, however:

Combined with an army of IRC bots, an attacker only needs 525 Zombies to scan the entire IP4 of today's public Internet in just one day. If you have a publicly accessible SSH server, you are very likely to be targeted by one of these attacks.

I find this assertion to be true. Not a single day goes by that one of my SSH servers hasn't received an attack from at least one source. I'm currently using DenyHosts to mitigate this problem, but the occasional attack still sneaks through. I'm just thankful that these guys attack invalid accounts.