SSH Brute Force the 10 Year Old Attack That Still Persists
One of the first things you'll notice if you have ssh running and exposed to the outside world is that you'll probably log attempts by hackers to guess your username/password. Typically a hacker will scan for port 22 (the default port on which ssh listens) to find machines with ssh running, and then attempt a brute-force attack against it. With strong passwords in place, hopefully any attack will be logged and noticed before it can succeed.
Hopefully you already use strong passwords, but if you are not then try to choose passwords that contains:
- Minimum of 8 we prefer 16 characters
- Mix of upper and lower case letters
- Mix of letters and numbers
- Non alphanumeric characters (e.g. special characters such as ! "
Most Attacks are done by robots looking for a week password
Last 7 days of scans Analysis
By just going back 7 days and looking at our logs on a open server that we collect attacking ip’s, we can see 15,000 attacks against it. The top username is still root (with more than 50% of the scans):
#attempts #username
9012 root (58%)
179 test (1%)
116 oracles (< 1%)
87 admin
82 info
70 user
69 postgres
68 mysql
68 backup
55 guest
49 web
49 tomcat
46 michael
45 r00t
43 upload
42 alex
41 sales
40 linux
39 bin
38 ftp
35 support
34 temp
33 nagios
31 user1
30 www
30 test1
30 nobody
By default, ssh listens for incoming connections on port 22. For a hacker to determine ssh is running on your machine, he'll most likely scan port 22 to determine this. An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. It's better to pick some random high port that's not used for any known services. To make the change, add a line like this to your /etc/ssh/sshd_config file: (if you do not know how to do this we can set it up for you)