Dealing with SSH Attacks

Security Hell — my name is “admin” and “password” is my password

A typical brute force attack involves trying multiple “common” logins and passwords. Logins such as Admin, Administrator, Bob, guest, user, or test and passwords such as ‘password’, or ‘12345678’ are asking to be pwned.

Hey, Link to Gizmodo.com worst passwords of 2014 swiped the list of worst passwords in 2014 Link to SplashData.com worst passwords of 2014. SpashData sells a password management thingie which can really help if you use a random and different password for every web site you need. Stricture Group has a similar list. Can’t memorize them all! According to SplashData.com the top 25 terrible passwords for year 2014 are:

Rank Password Change from 2013
1 123456 No Change
2 password No Change
3 12345 Up 17
4 12345678 Down 1
5 qwerty Down 1
6 123456789 No Change
7 1234 Up 9
8 baseball New
9 dragon New
10 football New
11 1234567 Down 4
12 monkey Up 5
13 letmein Up 1
14 abc123 Down 9
15 111111 Down 8
16 mustang New
17 access New
18 shadow Unchanged
19 master New
20 michael New
21 superman New
22 696969 New
23 123123 Down 12
24 batman New
25 trustno1 Down 1

SplashData recommends three steps to be safer from hackers online:
1. Use passwords of eight characters or more with mixed types of characters.
2. Avoid using the same username/password combination for multiple websites.
3. Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.

The list by Stricture Group of 100 most common passwords used on Adobe includes:

Rank Count Password
1 1911938 123456
2 446162 123456789
3 345834 password
4 211659 adobe123
5 201580 12345678
6 130832 qwerty
7 124253 1234567
8 113884 111111
9 83411 photoshop
10 82694 123123
11 76910 1234567890
12 76186 0
13 70791 abc123
14 61453 1234
15 56744 adobe1
16 54651 macromedia
17 48850 azerty
18 47142 iloveyou
19 44281 aaaaaa
20 43670 654321
21 43497 12345
22 37407 666666
23 35325 sunshine
24 34963 123321
25 33452 letmein
26 32549 monkey
27 31554 asdfgh

The horror of this: 1,911,938 people actually used 123456 for a password. I don’t know how they get this data — I suppose they work out a deal with Sony and sponsor Celine Dion music CDs to distribute RootKits to secret secure government agencies.

A better way for SSH

Wise it is to install something like fail2ban to defeat SSH attackers. The modern watchdogs, such as fail2ban or (old) DenyHosts read the log files and notice when someone is repeatedly trying to guess a login / password combination that will work. Logs look like this sample below from just one attack today: attacks are normally continuous and amount to several thousand every morning.

By the way, owner of IP 212.83.139.68, you might want to run a virus scan on your machine. Someone is using it to crack systems. I suggest you poke around in /etc and see if there is a file in there which is “immutable” – that is how they hacked the last server I personally de-bugged. Be sure to publish their plain-text email addy in the script before you delete it so we can all see who it is.

Lines containing IP:212.83.139.68.

Jun 10 21:49:57 pookie sshd[2689]: Did not receive identification string from 212.83.139.68
Jun 10 21:49:59 pookie sshd[2690]: Invalid user admin from 212.83.139.68
Jun 10 21:49:59 pookie sshd[2690]: error: Received disconnect from 212.83.139.68: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:02 pookie sshd[2692]: error: Received disconnect from 212.83.139.68: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:10 pookie sshd[2694]: Invalid user guest from 212.83.139.68
Jun 10 21:50:10 pookie sshd[2694]: error: Received disconnect from 212.83.139.68: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:12 pookie sshd[2696]: Invalid user ubnt from 212.83.139.68
Jun 10 21:50:12 pookie sshd[2696]: error: Received disconnect from 212.83.139.68: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:19 pookie sshd[2698]: Invalid user support from 212.83.139.68
Jun 10 21:50:19 pookie sshd[2698]: error: Received disconnect from 212.83.139.68: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:27 pookie sshd[2700]: Invalid user test from 212.83.139.68
Jun 10 21:50:28 pookie sshd[2700]: error: Received disconnect from 212.83.139.68: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 10 21:50:37 pookie sshd[2702]: Invalid user user from 212.83.139.68

The program fail2ban is what is available easily from the Mint (Ubuntu / Debian) repositories.

apt-get install fail2ban

SSH protection is enabled out of the box, and if someone tries to guess their way into your system, it sees the log entries and temporarily blocks SSH access attempts from that IP address. Read the instructions for details on more elaborate configurations.

A really good approach to SSH specifically is to use the “key” authentication method instead of passwords. To do this you merely use the OpenSSH-server routine “ssh-keygen” to make yourself a key pair, then use the OpenSSH-server routine “ssh-copy-id” to install your public key on the remote server. After that you can disable ssh password authentication on the server and actually you connect quicker than before. Only a computer which has your private key can connect as you.

ssh-keygen -t rsa
ssh-copy-id bubba@pookie.edu

Of course you already realize bubba is your login on the remote server pookie.edu. Once it is all working you can connect to the remote server with “ssh bubba@pookie.edu”. To copy the public key up to the server you just type:

ssh-copy-id bubba@pookie.edu

It will ask you for what it needs as it needs it: the passphrase if you put one on your key when you made the keys with ssh-keygen and the password to log into the server. It only needs the password once so it can install your key. If you want to use more than one remote account, rinse, repeat, for each account. You’ll be asked the password for each account in turn. DO NOT repeat the ssh-keygen part!!!! That will trash your existing keys and make new ones.

ssh-copy-id morigan@pookie.edu
ssh-copy-id lalala@pookie.edu

You can also request a bigger key: the command “ssh-keygen -t rsa” gives you a 2048 bit key. If you want a bigger key, say 4096 bits, you can use a more elaborate command:

ssh-keygen -t rsa -b 4096

On my Mint 17.1 (Ubuntu) systems this automagically put everything right where it belongs. There are many interesting optional things related to this. I recommend a fast read through of this Link to ubuntu.com community help on OpenSSH. If you still get prompted for a password after installing your key on the remote server, then look in that link also for how to fix it.

After verifying that when you connect to the server it just connects you and does not ask for a password, you can turn off the password authentication in your server’s /etc/ssh/sshd_config file:

RSAAuthentication yes
PubkeyAuthentication yes

PasswordAuthentication no

I also recommend that you deny root logins, period. Just login with another account and shell up to root when needed.

PermitRootLogin no

After that, restart SSH on the server and verify that it works. If you’re smart, you don’t close the terminal with which you are already connected to the remote server, you test it by opening a new terminal window, so if it’s not working you can fix it. 8)

sudo service ssh restart

If you get a “Permission denied (publickey).” error then you probably need to change the permits on the keys in your home folder .ssh/authorized_keys

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

There are more details in https://help.ubuntu.com/community/SSH/OpenSSH/Keys#Generating_RSA_Keys.

I also recommend that you peruse the link I provided in a previous post on configuring SSH.

Comments are closed