An analysis of ssh bruteforce attacks
I've been running my home server with fail2ban for quite some time, and it works great! So well that usually, there's no need to think about the fact that it's constantly under attack from around the globe (the internet is weird). Occasionally it's fun to take a peek at the logs and see what sorts of things the ssh bruteforce attackers are trying. It looks like they've picked up some new tricks since the last time I checked…
Some connections are attempted using weak cyphers - specifically the "CBC" set:
Unable to negotiate with x.x.x.x: no matching cipher found. Their offer: aes256-cbc,email@example.com,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
OWASP says this in their cheat sheet:
Favor GCM over CBC regardless of the cipher size.
So, either these attackers are using a really old SSH client, or they're trying to negotiate a weaker connection which can then be further exploited. Either way, my server is giving them a big old "nope".
This one did surprise me - I haven't seen bruteforce attacks using keys before. Apparently it's a new tactic in the past year or so, where they scan for compromised keys then use them to try logging in to other systems.
Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: ssh-dss [preauth]
Additionally, these keys tend to be using older crypto schemes:
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherit weakness
Plain old password attempts
The bulk of the attacks are still plain old bruteforce login attempts. The top targets are common system accounts. This list tells me that there's a decent number of unsecured raspberry pis out there.
admin pi RPM test ubuntu
There's a smaller number of attempts on service accounts, but they're spread out over many different usernames.
postgres mysql oracle PlcmSpIp cron ftp media nagios scan
And so on.
I'm not sure what's up with this one - it was tried repeatedly. It seems awfully specific.
It's not surprising that there would be poorly-secured game servers kicking around. Apparently enough to make these worthwhile:
1 csgoserver 1 minecraft
Either this is a one-off username from their lists, or some people out there are running unsecured bitcoin servers.
This set look like some well-known "security through obscurity" usernames. I remember seeing this as actual advice, once upon a time.
They didn't try
toor though - I guess that one's still safe (/sarcasm)
Way too obvious
Seriously? That would just be baby-town frolics.
They may need better QA…
These look like bugs in their scripts/data. I could recommend some good testing tools. :laughing:
2 mailto 2 username 1 account
These are mainly people's names. I expect there would be a lot more in here, except that fail2ban prevents most of the attempts. Some of the more interesting ones:
butter master seller shop sierra stacey tech techno
Ssh bruteforce attacks have gotten somewhat more sophisticated, but the basic pattern is still the same, and running fail2ban is still critical.