Examining ssh login requests

2014-05-16 2 min read

    I recently migrated to Digital Ocean and spent some time beefing up its security. One of the things I looked into was the various SSH attempts being made and to see if there was a pattern. Luckily, I’m running Ubuntu and every SSH attempt is logged by default to /var/log/auth.log and all it required was a quick one liner to see the failed attempts by username.

    grep "Invalid user " /var/log/auth.log | cut -d' ' -f8 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
    UsernameCount
    test141
    postgres116
    oracle88
    web75
    test274
    admin59
    jboss49
    ubuntu45
    webmaster43
    user42
    tech40
    debian40
    testuser39
    server38
    penguin38
    shoutcast36
    rdp36
    www35
    radio35
    ftp33
    test330
    student29
    guest29
    toor21
    public19
    testing15
    tester15
    students15
    var13
    gov9
    adm9
    x8
    nagios8
    zabbix7
    z7
    y7
    w7
    vyatta7
    u7
    t7
    shell7
    s7
    r7
    q7
    p7
    o7
    n7
    michael7
    m7
    l7
    k7
    j7
    i7
    h7
    g7
    f7
    e7
    dup7
    d7
    ch7
    c7
    b7
    a7
    sales6
    office6
    home6
    data6
    bash6
    apache6
    administrator6
    v5
    test15
    teamspeak5
    ssh5
    plesk5
    master5
    linux5
    ircd5
    http5
    walid4
    vnc4
    ust4
    ts4
    temp4
    telnet4
    smmsp4
    smart4
    samba4
    org4
    operator4
    net4
    named4
    mike4
    library4
    info4
    hacker4
    git4
    ftpuser4
    dan4
    cc4

    The usernames were all over the place - from generic ones (such as test, admin, ubuntu, guest) to the names used by various services (postgres, oracle, nagios) to letters of the alphabet. There was also a slew of common English first names. In total, there were ~1500 unique usernames that attempted to access my box.

    The auth.log file also contains the IP address of each attempt and we can easily summarize by that.

    grep "Invalid user " /var/log/auth.log | cut -d' ' -f10 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
    IPCount
    162.13.41.12874
    176.31.244.7733
    216.127.160.146572
    195.50.80.169382
    66.219.106.164359
    199.33.127.35220
    112.167.161.19498
    128.199.226.16066
    198.50.120.17860
    189.85.66.23437
    14.18.145.8229
    166.78.243.8623
    222.190.114.9822
    130.126.141.7418
    178.208.77.13317
    61.160.213.1718
    49.213.20.2498
    23.253.51.767
    178.254.8.1777
    193.107.128.105
    121.167.232.1962
    107.182.134.512
    82.221.106.2331
    74.3.121.101
    72.225.239.901
    111.74.134.2161

    In this case, the total number of IP addresses is significantly smaller with only 26 unique IP addresses trying to connect. I took a look at a few and some of them look to be legitimate sites that may have been compromised.

    If you have a box open to the world, you should make sure it’s secure. A small program that makes this easy is fail2ban - it scans log files and bans IPs that have had too many failed attempts. Two other quick fixes are to disable password authentication entirely and rely solely on public key authentication which is significantly harder to crack and change the default SSH port from 22 to something else. These should be enough to eliminate the bulk of attempts and keep your box secure.