I recently migrated to Digital Ocean and spent some time beefing up its security. One of the things I looked into was the various SSH attempts being made and to see if there was a pattern. Luckily, I’m running Ubuntu and every SSH attempt is logged by default to /var/log/auth.log and all it required was a quick one liner to see the failed attempts by username.
grep "Invalid user " /var/log/auth.log | cut -d' ' -f8 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
Username | Count |
---|---|
test | 141 |
postgres | 116 |
oracle | 88 |
web | 75 |
test2 | 74 |
admin | 59 |
jboss | 49 |
ubuntu | 45 |
webmaster | 43 |
user | 42 |
tech | 40 |
debian | 40 |
testuser | 39 |
server | 38 |
penguin | 38 |
shoutcast | 36 |
rdp | 36 |
www | 35 |
radio | 35 |
ftp | 33 |
test3 | 30 |
student | 29 |
guest | 29 |
toor | 21 |
public | 19 |
testing | 15 |
tester | 15 |
students | 15 |
var | 13 |
gov | 9 |
adm | 9 |
x | 8 |
nagios | 8 |
zabbix | 7 |
z | 7 |
y | 7 |
w | 7 |
vyatta | 7 |
u | 7 |
t | 7 |
shell | 7 |
s | 7 |
r | 7 |
q | 7 |
p | 7 |
o | 7 |
n | 7 |
michael | 7 |
m | 7 |
l | 7 |
k | 7 |
j | 7 |
i | 7 |
h | 7 |
g | 7 |
f | 7 |
e | 7 |
dup | 7 |
d | 7 |
ch | 7 |
c | 7 |
b | 7 |
a | 7 |
sales | 6 |
office | 6 |
home | 6 |
data | 6 |
bash | 6 |
apache | 6 |
administrator | 6 |
v | 5 |
test1 | 5 |
teamspeak | 5 |
ssh | 5 |
plesk | 5 |
master | 5 |
linux | 5 |
ircd | 5 |
http | 5 |
walid | 4 |
vnc | 4 |
ust | 4 |
ts | 4 |
temp | 4 |
telnet | 4 |
smmsp | 4 |
smart | 4 |
samba | 4 |
org | 4 |
operator | 4 |
net | 4 |
named | 4 |
mike | 4 |
library | 4 |
info | 4 |
hacker | 4 |
git | 4 |
ftpuser | 4 |
dan | 4 |
cc | 4 |
The usernames were all over the place - from generic ones (such as test, admin, ubuntu, guest) to the names used by various services (postgres, oracle, nagios) to letters of the alphabet. There was also a slew of common English first names. In total, there were ~1500 unique usernames that attempted to access my box.
The auth.log file also contains the IP address of each attempt and we can easily summarize by that.
grep "Invalid user " /var/log/auth.log | cut -d' ' -f10 | awk '{a[$0]++}END{for(i in a)print i,a[i]}' | sort -k 2 -n -r | head -n 100
IP | Count |
---|---|
162.13.41.12 | 874 |
176.31.244.7 | 733 |
216.127.160.146 | 572 |
195.50.80.169 | 382 |
66.219.106.164 | 359 |
199.33.127.35 | 220 |
112.167.161.194 | 98 |
128.199.226.160 | 66 |
198.50.120.178 | 60 |
189.85.66.234 | 37 |
14.18.145.82 | 29 |
166.78.243.86 | 23 |
222.190.114.98 | 22 |
130.126.141.74 | 18 |
178.208.77.133 | 17 |
61.160.213.171 | 8 |
49.213.20.249 | 8 |
23.253.51.76 | 7 |
178.254.8.177 | 7 |
193.107.128.10 | 5 |
121.167.232.196 | 2 |
107.182.134.51 | 2 |
82.221.106.233 | 1 |
74.3.121.10 | 1 |
72.225.239.90 | 1 |
111.74.134.216 | 1 |
In this case, the total number of IP addresses is significantly smaller with only 26 unique IP addresses trying to connect. I took a look at a few and some of them look to be legitimate sites that may have been compromised.
If you have a box open to the world, you should make sure it’s secure. A small program that makes this easy is fail2ban - it scans log files and bans IPs that have had too many failed attempts. Two other quick fixes are to disable password authentication entirely and rely solely on public key authentication which is significantly harder to crack and change the default SSH port from 22 to something else. These should be enough to eliminate the bulk of attempts and keep your box secure.