Thursday, May 22, 2008

Anatomy of An SSH Brute Force Attempt (In Pictures)

Just for fun I decided to turn on SSH on the dirty interface on my highly secure Debian firewall to see what shows up in LCE.

First I filter on all TCP/22 activity



I'm actually most concerned with the valid logins first so I check them



Whew. Only 2 logins, those are probably OK.I could check and see who they are but I'm too lazy and I'm anxious to get to the invalid logins:



But I want to get a better sense of time. Big spike right has I was recovering from getting the kids ready for school.


I back up to look at the two types of events I'm seeing during this period of attack: failed passwords and invalid users. I actually discovered the other day that there is an SSH error message for failed login attempts where the username is valid but when it doesn't match the address in the AllowUser option of sshd_config. I thought that was cool. Not sure why I'm not seeing these here.



and





Yep, Italy again


inetnum: 141.250.0.0 - 141.250.255.255
netname: UNIPG-NET
descr: Universita' degli Studi di Perugia
descr: Centro Ateneo Servizi Informatici, CASI
country: IT
admin-c: OG6-RIPE
tech-c: FG757-RIPE
status: ASSIGNED PI
remarks: Perugia Academic and Research Network
mnt-by: GARR-LIR
source: RIPE # Filtered

2 comments:

Anonymous said...

use http://denyhosts.sourceforge.net/

Matt Franz said...

Cool, but that would be no fun and it wouldn't generate any logs :)