Increasing SSH Brute Force Attempts

Since the 24 July, our HoneyNet has reveal increasing SSH brute force attempts. These scans are similar to the previous increasing SSH brute force attemps alert. The source IP addresses are only focusing on the root user.

1 week SIG 2001219 events activities
1 week SIG 2001219 events activities
1 Month TOP 10 source IPs for SIG 2001219
1 Month TOP 10 source IPs for SIG 2001219

You can follow the SSH Brute Force Attempts in our Use Case SUC015 with real time life data’s.

Increasing SSH Brute Force Attempts

As mentioned in my Tweet post, the 16 Jun, our HoneyNet has reveal increasing SSH Brute Force Attempts. These scans have been confirmed by Internet Storm Center (ISC), the 18 Jun from other sources. These scans made me remember last year and the incredible SSH 0Day rumor, and also the Zero For Owneds, Summer of Hax, also knows as ZF05. Maybe another try to own security experts infrastructures before DefCon & BlackHat ?

We have a clear difference with ISC alert around the increasing SSH Brute Force Attempts. On our HoneyNet all the source IP addresses have only focus on the root user and really try to password brute force the root account.

You follow the SSH Brute Force Attempts in our Use Case SUC015 with real time life data’s.

SUC015 : Potential SSH Scan

  • Use Case Reference : SUC015
  • Use Case Title : Potential SSH Scan
  • Use Case Detection : Firewall logs / IDS / SSH logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Most of time libssh based
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 22/TCP
Possible(s) correlation(s) :
  • SSH fingerprinting
  • SSH brute forcing

Source(s) :

We have compile a list of more of 5 000 user name how have been used to try to brute force login our HoneyNet servers. This list is updated every day.

Emerging Threats SIG 2001219 create an alert if we have 5 destination port 22/TCP connexions during the interval of 120 seconds. If we see, for example, 10 connexions during the interval of 120 seconds, 2 alerts will be triggered. This SIG could be used to detect SSH Brute Force Attack.

Emerging Threats SIG 2006546 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 5 connexions during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH Brute Force Attack, but based on strict recognition of tools how are using “libssh”.

Emerging Threats SIG 2006345 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 1 connexion during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH fingerprinting, but based on strict recognition of tools how are using “libssh”. This SIG is not useful for SSH Brute Force Attack recognition due to the limit type threshold.

In parallel you could correlate theses alerts with your firewall logs and / or SSH daemon logs, to create a real correlated alert. But still the attacker is not logged in your system, these alerts should not have a high priority level, cause most of time these scans are done by bots. Maybe you could add the attacker IP address in a “Suspicious Attacker” list for furthers trends and correlations activities.

Another operation you could do, is to compare the username provided from the SSH brute forcing dictionary with yours existing SSH usernames. If your username is present into the dictionary, we recommend you to change it.

24 hours SIG 2001219 events activities
24 hours SIG 2001219 events activities
1 week SIG 2001219 events activities
1 week SIG 2001219 events activities
1 Month SIG 2001219 events activities
1 Month SIG 2001219 events activities
One year SIG 2001219 events activities
One year SIG 2001219 events activities
1 Month TOP 10 source IPs for SIG 2001219
1 Month TOP 10 source IPs for SIG 2001219
TOP 20 source countries for SIG 2001219
TOP 20 source countries for SIG 2001219

Scan SSH en augmentation

Depuis environ une semaine, l’on peut voir une augmentation important des scan SSH et de tentatives de brutes force SSH.

Ces machines, sauf 189.121.4.150 et 174.36.210.138 (seraient aussi utilisées pour effectuer des attaques de SPAM), ne participent pas à d’autres tentatives de piratages, tels que RFI, etc. Ce sont des machines dédiées à cette activité de scan SSH.

IP : 122.41.71.143 – FQDN : 122.41.71.143 – City : Seoul – Country : Korea, Republic of
IP : 69.64.38.17 – FQDN : air627.startdedicated.com – City : Saint Louis – Country : United States
IP : 74.208.96.107 – FQDN : u15278563.onlinehome-server.com – City : Wayne – Country : United States
IP : 58.254.250.44 – FQDN : 58.254.250.44 – City : Guangzhou – Country : China
IP : 85.25.151.128 – FQDN : india598.server4you.de – Country : Germany
IP : 189.121.4.150 – FQDN : bd790496.virtua.com.br – City : São Paulo – Country : Brazil
IP : 174.36.210.138 – FQDN : 174.36.210.138-static.reverse.softlayer.com – City : Dallas – Country : United States
IP : 202.153.121.210 – FQDN : 202.153.121.210 – City : Central District – Country : Hong Kong
IP : 200.212.140.186 – FQDN : 200.212.140.186 – City : São Paulo – Country : Brazil