Distributed bruteforce attack towards SSH


I guess everyone have heard about Brute Force Attack towards different services. This can be anything from SSH,Telnet,FTP to webadmin. Basically it is just an mathematical approach to try a large number of username and password. There are two approaches in how to do this. First is to try every combination, you start with 0 as username and 0 with password, and they you just keep on going. This will take a LONG time, but this way you will find a way in. This is in theory… This process can be a lot easier if you know the username. Then you only need to try different password. But even this method will take a long long time. (if the password has some security police, eg, a certain length, and must contain letters, numbers and symbols).

The other method is to do a dictionary attack. There are plenty dictionary out there, that you can use. These attacks are very common. The attacker then use some predefined usernames. e.g. root, admin, operator etc. A dictionary witch common passwords, and then they try. Every combination, and a lot of the time, they get lucky.

The disadvantage, from a crackers perspective, is that the two methods above use only one source ip. This again is easily detected, and can be prevented by eq using SSHGuard or any other program/script that will log invalid/failed logins and ban that ip, by using iptables/pf firewall rules or simply hosts.allow file. This is when distribute brute force comes into the pictures.

A distribute brute force attack, spreads the attack. This means that there are many ips that will fill your log with invalid/failed logins. And because of this, it is much harder to discovery. Special if they use a slow distribute brute force attack principle. This mean that they will only try about 1-2 attempt a day from each ip. Or even less.

I’m currently under such an attack. And it is, for a secure server and only trusted user with strong passwords, only considered background noise. To identify these attacks I’ve restricted SSH access to only some ip ranges. This way, all attempts will be logged as an refused entry.

Yesterday I finally got around to only parsing the last 24 hours from my logs files. And I can now create a nice graph of the current SSH traffic to my host. This creates a picture of the current traffic towards my host.


As you can see, I’ve refused 195 attempts the last 24 hours. And it also looks like the attempts are droping a bit. Have no idea why, but I’ll keep on tracking it, and check how it progress. Maybe they are giving up… After all they have been going at it for over a month now….

For live stats -> SSH stats

Leave a Comments