This post is a continuance to the topic presented in an earlier post of mine, Attack of the SSH bots
As I took a data mining course for the spring semester, I had an opportunity to spend time furthering my research on SSH attack trends, and that’s what I indeed did.
This post is essentially a paraphrasing of the original slides as presented in the final seminar for the course; these slides and attached materials are linked at the end of this post.
As publicly known, I have an active home server for a variety of purposes. I recently did something that could be said to be a major renovation; a big part of the internal software setups were replaced completely, and all of them were substantially updated or at least refactored to be better suitable for my current needs.
It is considered to be common knowledge that SSH bots are constantly on the hunt for vulnerable hosts. It is also an equally well known fact for me that my server was probed by these bots (as shown on firewall logs), but I had not systematically collected any statistical data about them.
So, for personal interest, I set up an automated statistical logger for SSH services. It observes SSH probing attempts, and jots down information in a easy-to-process format. The results were quite interesting indeed, in my personal opinion.
Note that all of these observations are about password-based login attempts. Even though my logging system would have logged failed public-key login attempts, absolutely zero of them occurred. This is an interesting observation in and of itself.