I’m quite certain that I’m seeing a trend. I just don’t know what the trend means.
SSH password guessing attacks used to be almost constant. Any Internet-connected host running an SSH service would be probed frequently. But things have been changing over the past year.
I collect data on about ten publicly reachable Linux machines at a university, and a while back I analyzed the attack patterns over one year. You can read the full analysis here, some examples follow.
The guessing attacks took various forms: sometimes it was just a few guesses for each of a handful of accounts, almost always including root, pretty much guaranteed to exist on an SSH server, plus usual suspects like webmaster, apache, and so on.
Other times the attack went on for a day or two, running through a long list of potential user names with two or three guesses for each, then hammering on root with hundreds of guesses.
Some attacks are aggressive, making two password guesses per second on each targeted host. Other attacks are extremely subtle, like one I observed coming out of the Danyang E-Education Center in Zhenjiang City, Jiangsu Province, China, where the guesses were made at a pace of just one every 6 to 11 hours. That completely disappeared into the clutter of all the other overlapping attacks, and only appeared when the vast log data collection was carefully analyzed.
Then there are the amusingly hapless ones, where the attacker mixed up their lists of passwords and target accounts. You find a long list of failed logins for bizarre accounts names which were intended to be the passwords. It is rather interesting to see their list of password guesses.
There is a way to observe the password guesses, and what you typically see for most of the accounts guess are two guesses: the literal word password and the user name itself. A “Joe Account” is the term for an account where the password is the same as the user name.
Now, the correct way to configure the root account is to completely disable direct login. And the correct way to set up SSH is to disable password authentication and require cryptographic authentication using keys. In Learning Tree’s Cloud ecurity Essentials course we see that’s how the major cloud providers do it.
So, back to my question — what is going on with SSH password guessing attacks?
I have seen a constant decrease over the past year in password guessing attacks on those ten monitored machines. Well, maybe that’s just an isolated anomaly. But I’m seeing the same trend on my firewall machine at home, connected to a cable modem and exposed to the Internet. And on my web server.
As Mandiant made very clear in their detailed report on the APT1 multi-year cyber-espionage operation by the Chinese military, even at governmental levels there is continuing interest in intruding into servers.
I wonder — are we seeing much less SSH password guessing because the attackers have found more productive ways of breaking into random servers?