Friday, September 28, 2012

Login Attempts from the Wild 'Net

So, I've had a box with an ssh port exposed to the Internet for a month or two, now. In that time, I've logged 15947 failed connection attempts to the server. Some of them are legitimate, me just mistyping a password (2 to my user, probably a couple oopses from me on root).

Using lastb, I can see the last failed attempts to the host.

Looking at the list of users (and number of attempts) that people tried to log in as...

3544 r00t
3065  root
42 xbox
118 www
4 webadmin
44 sysadmin
286 admin
20 Admin
20 webmaster
108 webmail
50 web
2 vpnuser
4 nobody
32 apache

 Those are some of the most interesting. The rest are random names of all ethnicities, random letters,  assorted characters, etc. There may be a few other common logins, but I didn't do a full dive through the list.

The more interesting part is that it seems that most of these connections were from about a dozen IPs.

I use fairly strong passwords, some of them are generated with mkpasswd (included when you install expect), some are generated by the password generator in KeePassX. I also don't allow ssh logins as root to that machine.

Since I started paying attention to this, I've started running fail2ban and DenyHosts. I probably don't need both, but I'll see what they turn up. I started DenyHosts first, and it scraped the existing logs and blacklisted a dozen IPs.

I was looking into using iptables to ratelimit connections, but it requires a particular flag compiled into the kernel, and I really don't feel like re-compiling a new kernel with every update, and my kernel doesn't ship with it enabled. I may have to find another method of doing this, though I believe that fail2ban and DenyHosts will help with this.

Guess the moral of the story is use strong passwords, and avoid using common login names, if possible. By using something like DenyHost or fail2ban, or sshguard, you can slow down attackers as well. I used to have ssh on a non-standard port, which might help to some degree - at least until someone scans for open ports.

I'm also considering picking up something cheap - a raspberry pi, sheevaplug, or similar, and having it act as a border guard. I can connect to it and bounce into everything else in my network.