Thursday, May 22, 2008

Anatomy of An SSH Brute Force Attempt (In Pictures)

Just for fun I decided to turn on SSH on the dirty interface on my highly secure Debian firewall to see what shows up in LCE.

First I filter on all TCP/22 activity

I'm actually most concerned with the valid logins first so I check them

Whew. Only 2 logins, those are probably OK.I could check and see who they are but I'm too lazy and I'm anxious to get to the invalid logins:

But I want to get a better sense of time. Big spike right has I was recovering from getting the kids ready for school.

I back up to look at the two types of events I'm seeing during this period of attack: failed passwords and invalid users. I actually discovered the other day that there is an SSH error message for failed login attempts where the username is valid but when it doesn't match the address in the AllowUser option of sshd_config. I thought that was cool. Not sure why I'm not seeing these here.


Yep, Italy again

inetnum: -
netname: UNIPG-NET
descr: Universita' degli Studi di Perugia
descr: Centro Ateneo Servizi Informatici, CASI
country: IT
admin-c: OG6-RIPE
tech-c: FG757-RIPE
remarks: Perugia Academic and Research Network
mnt-by: GARR-LIR
source: RIPE # Filtered


Anonymous said...


Matt Franz said...

Cool, but that would be no fun and it wouldn't generate any logs :)