Tag Archives: secure

Random ssh attacks

Somewhere on the internet there’s a machine I have access to, which is running an ssh daemon.  That machine has a public internet address.  Between the 26th of April 2009 at 8:55am and the 19th of July 2009 at 1:37pm there have been 105,043 failed ssh login attempts.  That’s over 84 days (roughly).  So that works out at 1250’ish failed login attempts per day.  Which is about 52 per hour which isn’t a million miles away from 1 failed login attempt every minute on that server (it’s actually 0.86 attempts per minute).

The attempts come in batches, so every few hours there’ll be a few hundred from the same source.  Sometimes they try hundreds of passwords against root and othertimes they’ll try hundreds of different user ID’s.

In those 84 days there have been attacks from around 259 different source IP addresses.  As for usernames attacked, there are 17,532 different ones attempted in that period.

The most popular day was the 2nd July with 7387 attacks in one day, from 8 different sources.  Two specific IP addresses accounted for 3173 and 2826 of those attacks.  One source tried 728 user ID’s in 2826 attempts and the other 1615 different user ID’s in 3173 attempts.

The root user ID has been attacked 27,210 time throughout the whole period.  The most popular non-root user ID to be attacked is admin with 2392 attempts, then test with 1330 attempts and in the next slot is guest at 627 attempts.  Application based ID’s were popular with oracle (623), mysql (399), postgres (311), ftp (251) and teamspeak (165).  Amusingly, the most popular regular names attempted were paul (211) then john (201) and michael (180).

There doesn’t seem to be a preferred hour to attack servers, here’s the breakdown by hour,

  • 01 – 5696
  • 02 – 6249
  • 03 – 7387
  • 04 – 4127
  • 05 – 4388
  • 06 – 3457
  • 07 – 4809
  • 08 – 3920
  • 09 – 3481
  • 10 – 4708
  • 11 – 3894
  • 12 – 3062
  • 13 – 3542
  • 14 – 2805
  • 15 – 4481
  • 16 – 5823
  • 17 – 4198
  • 18 – 2160
  • 19 – 2496
  • 20 – 3949
  • 21 – 7980
  • 22 – 4823
  • 23 – 3418
  • 00 – 4187

I could do some analysis of the source addresses, but I’m not really sure how useful it would be, many of them are likely to be compromised workstations or forged address.