It's nothing new that there are several botnets scouring the Internet for poorly protected SSH servers. Their members are mostly compromized hosts, such as home computers hijacked with trojans and worms. Some "real" servers end up on these botnets as well. Sometimes hired for the purpose, sometimes cracked by the same backdoors as the home computers, or simply compromized via the services they run, usually vulnerable dynamic websites.
These botnets scan vast IP-address ranges trying to find hosts which are running SSH server software on the default port (tcp 22). When they find one, they start trying to log in using brute force. Usually the method of choice is to login as root and use a dictionary for guessing the password. Sometimes they try to login as other users, such as test, staff or use someones first name as the login.
I noticed these attacks were consuming lots of CPU resources on my server, as you can see on this graph:
You can also see this was quite some time ago. Since then, the hardware has been heavily upgraded, but I also took some measures to protect the server.
There are a number of ways to proceed in doing that, but I won't go into that now. I simply chose a dynamic blacklist using the standard iptables firewall and a script called sshblack to update it. Apparently the same goal can be reached using Fail2ban as well. It also provides some more advanced functionality out of the box.
Anyhow, the sshblack script has been running on my Linux box for almost two years now, and I'm quite happy with it. To end up on the list, at least 4 unsuccessfull SSH-login attempts have to take place within 5 minutes. The address is then released from the list after 4 days. I've usually seen around 20 to 30 entries on the list at all times, so the attacks are running at a pretty constant rate. I desided to make the list public on March 24th this year. The public version is generated from the iptables chain hourly and the most recent culprit is the first one on the output. You can see the list here: http://dx.fi/alt/shame.php.
Now, what prompted me into writing this entry, is the fact that at the time of writing there are 129 entries on the list. This is 10 times the usual number and more than double the amout I remember as the previous record. This led me to wondering if I've managed to attract more probes by making the list public. Naturally, there is no sure way to answer this, but I'll be keeping a bit closer eye on the list. To help me with that, I wrote a simple munin plugin to graph the number of entries on the blacklist. You can find the plugin file here: http://dx.fi/alt/munin/sshblack
|<< <||> >>|