Security Hell — my name is “admin” and “password” is my password
A typical brute force attack involves trying multiple “common” logins and passwords. Logins such as Admin, Administrator, Bob, guest, user, or test and passwords such as ‘password’, or ‘12345678’ are asking to be pwned.
Hey, Link to Gizmodo.com worst passwords of 2014 swiped the list of worst passwords in 2014 Link to SplashData.com worst passwords of 2014. SpashData sells a password management thingie which can really help if you use a random and different password for every web site you need. Stricture Group has a similar list. Can’t memorize them all! According to SplashData.com the top 25 terrible passwords for year 2014 are:
Rank Password Change from 2013 1 123456 No Change 2 password No Change 3 12345 Up 17 4 12345678 Down 1 5 qwerty Down 1 6 123456789 No Change 7 1234 Up 9 8 baseball New 9 dragon New 10 football New 11 1234567 Down 4 12 monkey Up 5 13 letmein Up 1 14 abc123 Down 9 15 111111 Down 8 16 mustang New 17 access New 18 shadow Unchanged 19 master New 20 michael New 21 superman New 22 696969 New 23 123123 Down 12 24 batman New 25 trustno1 Down 1
SplashData recommends three steps to be safer from hackers online:
1. Use passwords of eight characters or more with mixed types of characters.
2. Avoid using the same username/password combination for multiple websites.
3. Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.
The list by Stricture Group of 100 most common passwords used on Adobe includes:
Rank Count Password 1 1911938 123456 2 446162 123456789 3 345834 password 4 211659 adobe123 5 201580 12345678 6 130832 qwerty 7 124253 1234567 8 113884 111111 9 83411 photoshop 10 82694 123123 11 76910 1234567890 12 76186 0 13 70791 abc123 14 61453 1234 15 56744 adobe1 16 54651 macromedia 17 48850 azerty 18 47142 iloveyou 19 44281 aaaaaa 20 43670 654321 21 43497 12345 22 37407 666666 23 35325 sunshine 24 34963 123321 25 33452 letmein 26 32549 monkey 27 31554 asdfgh
The horror of this: 1,911,938 people actually used 123456 for a password. I don’t know how they get this data — I suppose they work out a deal with Sony and sponsor Celine Dion music CDs to distribute RootKits to secret secure government agencies.
A better way for SSH
Wise it is to install something like fail2ban to defeat SSH attackers. The modern watchdogs, such as fail2ban or (old) DenyHosts read the log files and notice when someone is repeatedly trying to guess a login / password combination that will work. Logs look like this sample below from just one attack today: attacks are normally continuous and amount to several thousand every morning.
By the way, owner of IP 220.127.116.11, you might want to run a virus scan on your machine. Someone is using it to crack systems. I suggest you poke around in /etc and see if there is a file in there which is “immutable” – that is how they hacked the last server I personally de-bugged. Be sure to publish their plain-text email addy in the script before you delete it so we can all see who it is.
Lines containing IP:18.104.22.168.
Jun 10 21:49:57 pookie sshd: Did not receive identification string from 22.214.171.124
Jun 10 21:49:59 pookie sshd: Invalid user admin from 126.96.36.199
Jun 10 21:49:59 pookie sshd: error: Received disconnect from 188.8.131.52: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:02 pookie sshd: error: Received disconnect from 184.108.40.206: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:10 pookie sshd: Invalid user guest from 220.127.116.11
Jun 10 21:50:10 pookie sshd: error: Received disconnect from 18.104.22.168: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:12 pookie sshd: Invalid user ubnt from 22.214.171.124
Jun 10 21:50:12 pookie sshd: error: Received disconnect from 126.96.36.199: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:19 pookie sshd: Invalid user support from 188.8.131.52
Jun 10 21:50:19 pookie sshd: error: Received disconnect from 184.108.40.206: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:27 pookie sshd: Invalid user test from 220.127.116.11
Jun 10 21:50:28 pookie sshd: error: Received disconnect from 18.104.22.168: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:37 pookie sshd: Invalid user user from 22.214.171.124
The program fail2ban is what is available easily from the Mint (Ubuntu / Debian) repositories.
apt-get install fail2ban
SSH protection is enabled out of the box, and if someone tries to guess their way into your system, it sees the log entries and temporarily blocks SSH access attempts from that IP address. Read the instructions for details on more elaborate configurations.
A really good approach to SSH specifically is to use the “key” authentication method instead of passwords. To do this you merely use the OpenSSH-server routine “ssh-keygen” to make yourself a key pair, then use the OpenSSH-server routine “ssh-copy-id” to install your public key on the remote server. After that you can disable ssh password authentication on the server and actually you connect quicker than before. Only a computer which has your private key can connect as you.
ssh-keygen -t rsa
Of course you already realize bubba is your login on the remote server pookie.edu. Once it is all working you can connect to the remote server with “ssh email@example.com”. To copy the public key up to the server you just type:
It will ask you for what it needs as it needs it: the passphrase if you put one on your key when you made the keys with ssh-keygen and the password to log into the server. It only needs the password once so it can install your key. If you want to use more than one remote account, rinse, repeat, for each account. You’ll be asked the password for each account in turn. DO NOT repeat the ssh-keygen part!!!! That will trash your existing keys and make new ones.
You can also request a bigger key: the command “ssh-keygen -t rsa” gives you a 2048 bit key. If you want a bigger key, say 4096 bits, you can use a more elaborate command:
ssh-keygen -t rsa -b 4096
On my Mint 17.1 (Ubuntu) systems this automagically put everything right where it belongs. There are many interesting optional things related to this. I recommend a fast read through of this Link to ubuntu.com community help on OpenSSH. If you still get prompted for a password after installing your key on the remote server, then look in that link also for how to fix it.
After verifying that when you connect to the server it just connects you and does not ask for a password, you can turn off the password authentication in your server’s /etc/ssh/sshd_config file:
I also recommend that you deny root logins, period. Just login with another account and shell up to root when needed.
After that, restart SSH on the server and verify that it works. If you’re smart, you don’t close the terminal with which you are already connected to the remote server, you test it by opening a new terminal window, so if it’s not working you can fix it. 8)
sudo service ssh restart
If you get a “Permission denied (publickey).” error then you probably need to change the permits on the keys in your home folder .ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
There are more details in https://help.ubuntu.com/community/SSH/OpenSSH/Keys#Generating_RSA_Keys.
I also recommend that you peruse the link I provided in a previous post on configuring SSH.