I recently migrated to Digital Ocean and spent some time beefing up its security. One of the things I looked into was the various SSH attempts being made and to see if there was a pattern. Luckily, I’m running Ubuntu and every SSH attempt is logged by default to /var/log/auth.log and all it required was a quick one liner to see the failed attempts by username.

grep "Invalid user " /var/log/auth.log | cut -d' ' -f8 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
Username Count
test 141
postgres 116
oracle 88
web 75
test2 74
admin 59
jboss 49
ubuntu 45
webmaster 43
user 42
tech 40
debian 40
testuser 39
server 38
penguin 38
shoutcast 36
rdp 36
www 35
radio 35
ftp 33
test3 30
student 29
guest 29
toor 21
public 19
testing 15
tester 15
students 15
var 13
gov 9
adm 9
x 8
nagios 8
zabbix 7
z 7
y 7
w 7
vyatta 7
u 7
t 7
shell 7
s 7
r 7
q 7
p 7
o 7
n 7
michael 7
m 7
l 7
k 7
j 7
i 7
h 7
g 7
f 7
e 7
dup 7
d 7
ch 7
c 7
b 7
a 7
sales 6
office 6
home 6
data 6
bash 6
apache 6
administrator 6
v 5
test1 5
teamspeak 5
ssh 5
plesk 5
master 5
linux 5
ircd 5
http 5
walid 4
vnc 4
ust 4
ts 4
temp 4
telnet 4
smmsp 4
smart 4
samba 4
org 4
operator 4
net 4
named 4
mike 4
library 4
info 4
hacker 4
git 4
ftpuser 4
dan 4
cc 4

The usernames were all over the place - from generic ones (such as test, admin, ubuntu, guest) to the names used by various services (postgres, oracle, nagios) to letters of the alphabet. There was also a slew of common English first names. In total, there were ~1500 unique usernames that attempted to access my box.

The auth.log file also contains the IP address of each attempt and we can easily summarize by that.

grep "Invalid user " /var/log/auth.log | cut -d' ' -f10 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
IP Count
162.13.41.12 874
176.31.244.7 733
216.127.160.146 572
195.50.80.169 382
66.219.106.164 359
199.33.127.35 220
112.167.161.194 98
128.199.226.160 66
198.50.120.178 60
189.85.66.234 37
14.18.145.82 29
166.78.243.86 23
222.190.114.98 22
130.126.141.74 18
178.208.77.133 17
61.160.213.171 8
49.213.20.249 8
23.253.51.76 7
178.254.8.177 7
193.107.128.10 5
121.167.232.196 2
107.182.134.51 2
82.221.106.233 1
74.3.121.10 1
72.225.239.90 1
111.74.134.216 1

In this case, the total number of IP addresses is significantly smaller with only 26 unique IP addresses trying to connect. I took a look at a few and some of them look to be legitimate sites that may have been compromised.

If you have a box open to the world, you should make sure it’s secure. A small program that makes this easy is fail2ban - it scans log files and bans IPs that have had too many failed attempts. Two other quick fixes are to disable password authentication entirely and rely solely on public key authentication which is significantly harder to crack and change the default SSH port from 22 to something else. These should be enough to eliminate the bulk of attempts and keep your box secure.


Read more!