I recently migrated to Digital Ocean and spent some time beefing up its security. One of the things I looked into was the various SSH attempts being made and to see if there was a pattern. Luckily, I’m running Ubuntu and every SSH attempt is logged by default to /var/log/auth.log and all it required was a quick one liner to see the failed attempts by username.

grep "Invalid user " /var/log/auth.log | cut -d' ' -f8 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
UsernameCount
test141
postgres116
oracle88
web75
test274
admin59
jboss49
ubuntu45
webmaster43
user42
tech40
debian40
testuser39
server38
penguin38
shoutcast36
rdp36
www35
radio35
ftp33
test330
student29
guest29
toor21
public19
testing15
tester15
students15
var13
gov9
adm9
x8
nagios8
zabbix7
z7
y7
w7
vyatta7
u7
t7
shell7
s7
r7
q7
p7
o7
n7
michael7
m7
l7
k7
j7
i7
h7
g7
f7
e7
dup7
d7
ch7
c7
b7
a7
sales6
office6
home6
data6
bash6
apache6
administrator6
v5
test15
teamspeak5
ssh5
plesk5
master5
linux5
ircd5
http5
walid4
vnc4
ust4
ts4
temp4
telnet4
smmsp4
smart4
samba4
org4
operator4
net4
named4
mike4
library4
info4
hacker4
git4
ftpuser4
dan4
cc4

The usernames were all over the place - from generic ones (such as test, admin, ubuntu, guest) to the names used by various services (postgres, oracle, nagios) to letters of the alphabet. There was also a slew of common English first names. In total, there were ~1500 unique usernames that attempted to access my box.

The auth.log file also contains the IP address of each attempt and we can easily summarize by that.

grep "Invalid user " /var/log/auth.log | cut -d' ' -f10 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
IPCount
162.13.41.12874
176.31.244.7733
216.127.160.146572
195.50.80.169382
66.219.106.164359
199.33.127.35220
112.167.161.19498
128.199.226.16066
198.50.120.17860
189.85.66.23437
14.18.145.8229
166.78.243.8623
222.190.114.9822
130.126.141.7418
178.208.77.13317
61.160.213.1718
49.213.20.2498
23.253.51.767
178.254.8.1777
193.107.128.105
121.167.232.1962
107.182.134.512
82.221.106.2331
74.3.121.101
72.225.239.901
111.74.134.2161

In this case, the total number of IP addresses is significantly smaller with only 26 unique IP addresses trying to connect. I took a look at a few and some of them look to be legitimate sites that may have been compromised.

If you have a box open to the world, you should make sure it’s secure. A small program that makes this easy is fail2ban - it scans log files and bans IPs that have had too many failed attempts. Two other quick fixes are to disable password authentication entirely and rely solely on public key authentication which is significantly harder to crack and change the default SSH port from 22 to something else. These should be enough to eliminate the bulk of attempts and keep your box secure.


Read more!