Ongoing large-scale distributed SSH brute-force attack
Jonathan Kamens
jik at kamens.us
Sat Dec 3 21:23:21 PST 2011
In the past, securing SSH on the public Internet has been pretty much as
easy as (a) keep your OS patched, (b) don't let root log in with a password,
and (c) run fail2ban to stop brute-force attacks.
Unfortunately, it looks like the bad guys have finally figured out how to
put their bots to work running distributed SSH brute-force attacks. If so,
then fail2ban is no longer going to be good enough, and more sophisticated
(and inconvenient) measures are going to be needed.
Prior to 1 Dec, the five machines I maintain with SSH servers accessible to
the public have been probed by an average of 13 different IP addresses per
day. On 1 Dec, they were probed by 109 different IP addresses, a 738%
increase over the prior average. On 2 and 3 Dec, they were probed by 79 and
72 different IP addresses. Not as high as the first day, but still quite a
jump!
I saw this increase across the board on five different machines on four
distinct networks run by four different network service providers. I've been
in correspondence with someone at the SANS Internet Storm Center who says
he's seen a similar spike on machines he maintains.
It seems clear to me that someone is engaging in a distributed brute-force
attack trying to break into servers as root via ssh.
Since this particular attack is targeted at the root user, you're safe for
the time being as long as you don't allow root to log in with a
password. But it's only a matter of time before they start attempting
distributed brute-force attacks of non-root accounts. When that happens,
blocking individual IP addresses with a series of failed login attempts is
no longer going to be sufficient.
If you maintain a server whose SSH port is open to the public, please let me
know the details if you're seeing a similar attack on your server (you can
post a comment on my blog
<http://blog.kamens.us/2011/12/04/ongoing-large-scale-distributed-ssh-brute-force-attack/>
or email me <mailto:jik at kamens.us>. In case it is useful, here
<http://stuff.mit.edu/%7Ejik/software/ssh-logs.pl.txt> is the script I have
been using to collect and display data from the machines I maintain.
------------------------------
More information about the cypherpunks-legacy
mailing list