Originally published in late 2017
As publicly known, I have an active home server for a variety of purposes. I recently did something that could be said to be a major renovation; a big part of the internal software setups were replaced completely, and all of them were substantially updated or at least refactored to be better suitable for my current needs.
It is considered to be common knowledge that SSH bots are constantly on the hunt for vulnerable hosts. It is also an equally well known fact for me that my server was probed by these bots (as shown on firewall logs), but I had not systematically collected any statistical data about them.
So, for personal interest, I set up an automated statistical logger for SSH services. It observes SSH probing attempts, and jots down information in a easy-to-process format. The results were quite interesting indeed, in my personal opinion.
Note that all of these observations are about password-based login attempts. Even though my logging system would have logged failed public-key login attempts, absolutely zero of them occurred. This is an interesting observation in and of itself.
Obsevations detailed in this post span time from Friday 29th September, 17:08 thru Friday 6th October 20:30. This time is non-continuous, with periodic server shutdowns (it is quite noisy, after all..) leaving gaps in the logs. There were a total of 4237 attempts to log on.
Assuming the server was active around 16 hours a day, this comes to around 37 attempts a hour. This may seem small by the first glance, but considering the server is usually on for most of the day, this very quickly racks up to a rather substantial count. There were approximately 58.8 attacks per single IP address, with the standard deviation of the sample being 194.14.
Username | How many times this username was used |
---|---|
root | 2699 |
admin | 194 |
ubuntu | 41 |
oracle | 32 |
postgres | 31 |
user | 27 |
git | 25 |
nagios | 24 |
pi | 23 |
tomcat | 23 |
It is very obvious that these bots target the root account. Over 63% of tries were for the user root.
As a matter of policy among other security policies of mine, I have PermitRootLogin No on all of my SSH servers, so they would be intristically immune against this common attack attempt. The attacker would have to guess another username, before even getting on the topic of authenticating themselves.
Password | How many times this password was used |
---|---|
123456 | 183 |
password | 155 |
test | 114 |
123 | 113 |
test123 | 110 |
321 | 104 |
1234 | 48 |
admin | 39 |
12345 | 30 |
default | 29 |
root | 27 |
ubnt | 25 |
raspberry | 16 |
admin123 | 16 |
<blank> | 16 |
111111 | 14 |
000000 | 13 |
ubuntu | 12 |
welc0me | 12 |
qwerty | 12 |
support | 11 |
system | 11 |
0000 | 11 |
These most popular, and yet decisively weak passwords cover over a fourth (26.4%) of all attack attempts. If you use any of these passwords on a public-facing server, chances are, it will be pwned before the day is done.
Looking at the rest of the log, many passwords were based on common words and relatively short.
Country of origin for attack attempts | Count |
---|---|
China | 2332 |
United States | 919 |
India | 288 |
Russia | 132 |
France | 119 |
Indonesia | 109 |
Singapore | 88 |
Great Britain | 71 |
The Netherlands | 45 |
Brazil | 38 |
Italy | 28 |
South Korea | 17 |
Japan | 12 |
Ukraine | 10 |
Germany | 10 |
Belgium | 10 |
Canada | 5 |
Luxembourg | 1 |
Liberia | 1 |
Iran | 1 |
Romania | 1 |
China, solely, accounts for 54.8% of attempts - and the set of top 6 countries account for 92% of attacks. There is obviously some merit to the sometimes heard advice of simply blocking China - if I did that outright, half of the attacks from this sample would be gone instantly.
It is particularly interesting that there are many different intensities of attempts. From the bottom end, there were only a single or maybe a few attempts - and for the top contenders (including one IP from China with 1000+ attempts!), the attempts spanned several hours on end, sometimes even resuming after long shutdown times.
Here are a few particularly odd, weird and/or amusing snippets that were caught during the time period above.
Username : password | Reaction |
---|---|
HELLO : FIELD.SUPPORT | No, you are not! |
root : roooooooooooooooooooooooooooooooooooooooooooooooot | Kinda clever - try counting the O’s in that. Still, pretty guessable. |
root : diffie-hellman-group-exchange-sha1 | Uhh..? |
root : minecraft | This is a dreadful idea. DON’T! |
root : @@kukkerh4x0r@@ | Ooh, pfft. Who has that as their password? |
root : phpmyadminvictim | That must be a jab against something.. dunno what :D |
ec2-user : 321 | Do I look like an Amazon server to you? (╯°□°)╯︵ ┻━┻ |
root : arris | Ya know.. I’ve heard about this somewhere… |
butter : butt3r4ever | This ‘butter’ username makes several appearances. I wonder what it is..? |
Cheers, Arttu