Ssh Login Attempts - Stats and Patterns
Pretty much as soon as you put a server on the internet, it starts getting attacked. My webservers are no different. A while back, I took a look at what sorts of ssh login attempts are being made against it; mostly for fun, but also to see what sorts of things we're up against.
This is a new analysis based on my mid-2023 auth logs.
Ssh Security Basics
I follow some best practices for running any public server:
- don't expose any ports/services that you don't need to
- disable remote root login
- disable password login entirely
- run a firewall, restrict as much traffic as you can
- run software like fail2ban, to limit the effectiveness of brute-force attacks
As this data will show, these are all very useful!
This isn't everything that I'm doing, and there's much more comprehensive lists out there - make sure you're using defense in depth!
Keeping in mind that I'm blocking bruteforce attackers, which greatly reduces the volume, here's what I saw in a 2 week period:
- 1700+ unique usernames attempted
- about 100 of those were tried more than 10 times
- (or allowed to be tried)
The login user that's attempted most often, by a wide margin, is
admin. This is because it's common, but also because it's near the start of bruteforce lists and fail2ban only kicks in after a few attempts. This was attempted thousands of times in a 2 week period.
I also see some distro default users (change that username/password before connecting to a network!!):
- ubnt (would work on a Unifi gateway console with a default password)
There's also a lot of service-specific users being attempted:
- oracle (or this might be because of an oracle distro?)
- and many more
It's fun to see some gaming host servers in the list:
I'm seeing a fair number of CI/CD related users too; seems like lots of folks not securing their CI properly!
There's also some default passwords assuming a particular cloud provider, but not google as far as I can tell:
And of course the usual suspects of likely-to-exist accounts:
Some usernames that seem like problems with the generation of the bruteforce lists:
Interestingly, the bruteforce list is a lot more multilingual these days:
Conclusion: Fail2ban and Key-only Auth Work
The bulk of the bruteforce users were only able to be tried a handful of times, because the attackers are mainly hitting from a small number of IP addresses, and fail2ban catches them fast. Using only ssh key auth makes sure that none of these attempts even have a chance of succeeding.