Attack of the SSH Bots - observations on SSH brute-forcing attempts

Introduction

As publicly known, I have an active home server for a variety of purposes. I recently did something that could be said to be a major renovation; a big part of the internal software setups were replaced completely, and all of them were substantially updated or at least refactored to be better suitable for my current needs.

It is considered to be common knowledge that SSH bots are constantly on the hunt for vulnerable hosts. It is also an equally well known fact for me that my server was probed by these bots (as shown on firewall logs), but I had not systematically collected any statistical data about them.

So, for personal interest, I set up an automated statistical logger for SSH services. It observes SSH probing attempts, and jots down information in a easy-to-process format. The results were quite interesting indeed, in my personal opinion.

Note that all of these observations are about password-based login attempts. Even though my logging system would have logged failed public-key login attempts, absolutely zero of them occurred. This is an interesting observation in and of itself.

Observations

General statistics

Obsevations detailed in this post span time from Friday 29th September, 17:08 thru Friday 6th October 20:30. This time is non-continuous, with periodic server shutdowns (it is quite noisy, after all..) leaving gaps in the logs. There were a total of 4237 attempts to log on.

Assuming the server was active around 16 hours a day, this comes to around 37 attempts a hour. This may seem small by the first glance, but considering the server is usually on for most of the day, this very quickly racks up to a rather substantial count. There were approximately 58.8 attacks per single IP address, with the standard deviation of the sample being 194.14.

Root is the king

Username How many times this username was used
root 2699
admin 194
ubuntu 41
oracle 32
postgres 31
user 27
git 25
nagios 24
pi 23
tomcat 23

It is very obvious that these bots target the root account. Over 63% of tries were for the user root.

As a matter of policy among other security policies of mine, I have PermitRootLogin No on all of my SSH servers, so they would be intristically immune against this common attack attempt. The attacker would have to guess another username, before even getting on the topic of authenticating themselves.

Weak passwords mean open doors

Password How many times this password was used
123456 183
password 155
test 114
123 113
test123  110
321 104
1234 48
admin 39
12345 30
default 29
root 27
ubnt 25
raspberry 16
admin123 16
<blank> 16
111111 14
000000 13
ubuntu 12
welc0me 12
qwerty 12
support 11
system 11
0000 11

These most popular, and yet decisively weak passwords cover over a fourth (26.4%) of all attack attempts. If you use any of these passwords on a public-facing server, chances are, it will be pwned before the day is done.

Looking at the rest of the log, many passwords were based on common words and relatively short.

Strong tendency for offenses from a few countries

Country of origin for attack attempts Count
China 2332
United States 919
India 288
Russia 132
France 119
Indonesia 109
Singapore 88
Great Britain 71
The Netherlands 45
Brazil 38
Italy 28
South Korea 17
Japan 12
Ukraine 10
Germany 10
Belgium 10
Canada 5
Luxembourg 1
Liberia 1
Iran 1
Romania 1

China, solely, accounts for 54.8% of attempts - and the set of top 6 countries account for 92% of attacks. There is obviously some merit to the sometimes heard advice of simply blocking China - if I did that outright, half of the attacks from this sample would be gone instantly.

It is particularly interesting that there are many different intensities of attempts. From the bottom end, there were only a single or maybe a few attempts - and for the top contenders (including one IP from China with 1000+ attempts!), the attempts spanned several hours on end, sometimes even resuming after long shutdown times.

What to take away from this text?

Particular captures from the logs

Here are a few particularly odd, weird and/or amusing snippets that were caught during the time period above.

Username : password Reaction
HELLO : FIELD.SUPPORT No, you are not!
root : roooooooooooooooooooooooooooooooooooooooooooooooot Kinda clever - try counting the O’s in that. Still, pretty guessable.
root : diffie-hellman-group-exchange-sha1 Uhh..?
root : minecraft This is a dreadful idea. DON’T!
root : @@kukkerh4x0r@@ Ooh, pfft. Who has that as their password?
root : phpmyadminvictim That must be a jab against something.. dunno what :D
ec2-user : 321 Do I look like an Amazon server to you? (╯°□°)╯︵ ┻━┻
root : arris Ya know.. I’ve heard about this somewhere…
butter : butt3r4ever This ‘butter’ username makes several appearances. I wonder what it is..?