An analysis of ssh bruteforce attacks
I've been running my home server with fail2ban for quite some time, and it works great! So well that usually, there's no need to think about the fact that it's constantly under attack from around the globe (the internet is weird). Occasionally it's fun to take a peek at the logs and see what sorts of things the ssh bruteforce attackers are trying. It looks like they've picked up some new tricks since the last time I checked…
Weaker ciphers
Some connections are attempted using weak cyphers - specifically the "CBC" set:
Unable to negotiate with x.x.x.x: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
OWASP says this in their cheat sheet:
Favor GCM over CBC regardless of the cipher size.
So, either these attackers are using a really old SSH client, or they're trying to negotiate a weaker connection which can then be further exploited. Either way, my server is giving them a big old "nope".
key-based logins
This one did surprise me - I haven't seen bruteforce attacks using keys before. Apparently it's a new tactic in the past year or so, where they scan for compromised keys then use them to try logging in to other systems.
Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: ssh-dss [preauth]
Additionally, these keys tend to be using older crypto schemes:
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherit weakness
Plain old password attempts
The bulk of the attacks are still plain old bruteforce login attempts. The top targets are common system accounts. This list tells me that there's a decent number of unsecured raspberry pis out there.
admin
pi
RPM
test
ubuntu
Service accounts
There's a smaller number of attempts on service accounts, but they're spread out over many different usernames.
postgres
mysql
oracle
PlcmSpIp
cron
ftp
media
nagios
scan
And so on.
Mis-targetted?
I'm not sure what's up with this one - it was tried repeatedly. It seems awfully specific.
7 rjconsultores
Game servers
It's not surprising that there would be poorly-secured game servers kicking around. Apparently enough to make these worthwhile:
1 csgoserver
1 minecraft
Bitcoin?
Either this is a one-off username from their lists, or some people out there are running unsecured bitcoin servers.
1 coinery
Obscurity
This set look like some well-known "security through obscurity" usernames. I remember seeing this as actual advice, once upon a time.
1 r00t
They didn't try toor
though - I guess that one's still safe (/sarcasm)
Way too obvious
Seriously? That would just be baby-town frolics.
1 guest
They may need better QA…
These look like bugs in their scripts/data. I could recommend some good testing tools. :laughing:
2 mailto
2 username
1 account
The rest
These are mainly people's names. I expect there would be a lot more in here, except that fail2ban prevents most of the attempts. Some of the more interesting ones:
butter
master
seller
shop
sierra
stacey
tech
techno
In Summary…
Ssh bruteforce attacks have gotten somewhat more sophisticated, but the basic pattern is still the same, and running fail2ban is still critical.