An analysis of ssh bruteforce attacks

I've been running my home server with fail2ban for quite some time, and it works great! So well that usually, there's no need to think about the fact that it's constantly under attack from around the globe (the internet is weird). Occasionally it's fun to take a peek at the logs and see what sorts of things the ssh bruteforce attackers are trying. It looks like they've picked up some new tricks since the last time I checked…

Weaker ciphers

Some connections are attempted using weak cyphers - specifically the "CBC" set:

Unable to negotiate with x.x.x.x: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]

OWASP says this in their cheat sheet:

Favor GCM over CBC regardless of the cipher size.

So, either these attackers are using a really old SSH client, or they're trying to negotiate a weaker connection which can then be further exploited. Either way, my server is giving them a big old "nope".

key-based logins

This one did surprise me - I haven't seen bruteforce attacks using keys before. Apparently it's a new tactic in the past year or so, where they scan for compromised keys then use them to try logging in to other systems.

Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: ssh-dss [preauth]

Additionally, these keys tend to be using older crypto schemes:

Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherit weakness

Plain old password attempts

The bulk of the attacks are still plain old bruteforce login attempts. The top targets are common system accounts. This list tells me that there's a decent number of unsecured raspberry pis out there.

 admin
 pi
 RPM
 test
 ubuntu

Service accounts

There's a smaller number of attempts on service accounts, but they're spread out over many different usernames.

 postgres
 mysql
 oracle
 PlcmSpIp
 cron
 ftp
 media
 nagios
 scan

And so on.

Mis-targetted?

I'm not sure what's up with this one - it was tried repeatedly. It seems awfully specific.

  7 rjconsultores

Game servers

It's not surprising that there would be poorly-secured game servers kicking around. Apparently enough to make these worthwhile:

  1 csgoserver
  1 minecraft

Bitcoin?

Either this is a one-off username from their lists, or some people out there are running unsecured bitcoin servers.

  1 coinery

Obscurity

This set look like some well-known "security through obscurity" usernames. I remember seeing this as actual advice, once upon a time.

  1 r00t

They didn't try toor though - I guess that one's still safe (/sarcasm)

Way too obvious

Seriously? That would just be baby-town frolics.

  1 guest

They may need better QA…

These look like bugs in their scripts/data. I could recommend some good testing tools. :laughing:

  2 mailto
  2 username
  1 account

The rest

These are mainly people's names. I expect there would be a lot more in here, except that fail2ban prevents most of the attempts. Some of the more interesting ones:

  butter
  master
  seller
  shop
  sierra
  stacey
  tech
  techno

In Summary…

Ssh bruteforce attacks have gotten somewhat more sophisticated, but the basic pattern is still the same, and running fail2ban is still critical.

Related readings

• Ssh Brute Force - the 10 year old attack that still persists
• Ssh honeypot results