We are under attack
May 29, 2010 1 Comment
The heading may be alarmist but there’s nothing to be alarmed about. I have been collecting IPs and user names for SSH attacks over the past few weeks. Initially I did not use throttling so I got a whole bunch of names. Recently I have implemented iptables rules so that if a user enters wrong password three times in one minute when attempting to connect via SSH, further connections are blocked for a few minutes. This change means that usually I only see three attempts in logs and then nothing more. Unless, of course, the attacker is smart and re-tries after waiting a few minutes. There have been a handful of such smart attackers. Mostly I see just three attempts from an IP and then nothing more.
My interest lies in two statistics: (1) which user names are tried and how many times; and (2) which geographic locations are used for these attacks. I have compiled a list of unique user names with the counts of attempts. The top ten names and their counts are as below.
We could already have guessed that root would be at the top. So the first lesson here is to disable root login in SSH. The second lesson is to disable SSH access for all users except a few who really need to login. The third lesson is to use an unconventional user name. So instead of, say fred (your name), try to use your screen name, say fredinlondon. This will reduce the possibility of someone guessing your user name and password. Of course, if you disable password login and only allow public key authentication, you don’t even have to worry about this.
Now comes the geographic locations of attackers. The top ten countries, after doing whois $IP, were as below.
In these numbers, China is the location from which most attacks originated. The first lesson learned here is if you don’t live in China, you can try to block all SSH traffic coming from there. Similarly, if you don’t live in Taiwan, India, Brazil, and so on, you can cut down on the number of attacks by blocking SSH access from those countries. A helpful resource is Country IP Blocks if you want to pursue this route. Of course, you could do the opposite and only allow traffic from countries from where you expect to access your machine. This means that you can still be targeted but by machines with IPs of these countries only.
In conclusion, this has been a fun exercise for me. There have been lessons learned which can help secure my machine against malicious would-be users. But more than that I have learned how to use my Linux machine to gather this data. You should give it a try sometime.