Top ten SSH login attempts
With all the fuss over NSA intrusion into encrypted datastreams, I thought I'd take a look at the security situation on my own website. To that end, I wrote some perl to fondle the log files and keep a record of who's logging in and who's getting kept out.
Top 10 users accepted:
Only one user is accepted at all and that user is me. As I normally ssh in with a public key, I think this is pretty secure. I'm not giving usernames, just because. Also, all IP addresses accepted are either local addresses, or the remote address I was at recently.
Top 10 usernames rejected:
Here's where it gets interesting: there are hundreds of attempted logins per day via ssh. I keep a years worth of logs, so over the last year the top 20 usernames someone tried to use to log in with are:
- USER_REJ: testing rejected 438 times.
- USER_REJ: tester rejected 447 times.
- USER_REJ: temp rejected 505 times.
- USER_REJ: www rejected 536 times.
- USER_REJ: testuser rejected 541 times.
- USER_REJ: web rejected 545 times.
- USER_REJ: test1 rejected 545 times.
- USER_REJ: alex rejected 592 times.
- USER_REJ: backup rejected 671 times.
- USER_REJ: ftpuser rejected 758 times.
- USER_REJ: tomcat rejected 767 times.
- USER_REJ: info rejected 777 times.
- USER_REJ: git rejected 890 times.
- USER_REJ: postgres rejected 1351 times.
- USER_REJ: user rejected 1520 times.
- USER_REJ: a rejected 1559 times.
- USER_REJ: nagios rejected 2181 times.
- USER_REJ: admin rejected 2295 times.
- USER_REJ: test rejected 4052 times.
- USER_REJ: oracle rejected 4088 times.
What's interesting here is the huge gap between the top 20: almost 10 times the frequency. Also, how many are trying to log in via ssh as the standard user for services. If you allow SSH as the standard service name for popular services, you are an idiot and asking for trouble.
Top 20 rejected IP addresses
So where am I being hacked from the most? Over the last year, the logs tell the following story.
- IP_REJ: 126.96.36.199 probed 1825 times. iWeb Technologies Inc. IWEB-BLK-04 (NET-67-205-64-0-1) 188.8.131.52 - 184.108.40.206
- IP_REJ: 220.127.116.11 probed 1869 times. CNC Group CHINA169 Shandong Province Network
- IP_REJ: 18.104.22.168 probed 1931 times. Indonesia
- IP_REJ: 22.214.171.124 probed 2245 times. h1762348.stratoserver.net, Berlin.
- IP_REJ: 126.96.36.199 probed 2366 times. CHINANET-ZJ Hangzhou node network
- IP_REJ: 188.8.131.52 probed 2542 times. HZDTV-IDC, China Zhejiang Province.
- IP_REJ: 184.108.40.206 probed 2546 times. CHINANET liaoning province network
- IP_REJ: 220.127.116.11 probed 2585 times. Hangzhou, Zhejiang, P.R.China
- IP_REJ: 18.104.22.168 probed 2594 times. Hyundai HCN Dongjak Systems Co., Ltd, Korea
- IP_REJ: 22.214.171.124 probed 2698 times. 2F Bundang Center, Onse IDC, 235-230, Korea
- IP_REJ: 126.96.36.199 probed 2947 times. vps2.barnes-open.net
- IP_REJ: 188.8.131.52 probed 3194 times. Chulalongkorn University, Thailand
- IP_REJ: 184.108.40.206 probed 3321 times. CHINANET Guizhou province network
- IP_REJ: 220.127.116.11 probed 4199 times. Hangzhou Alibaba Advertising Co.,Ltd, China
- IP_REJ: 18.104.22.168 probed 4768 times. Starhub internet, Singapore
- IP_REJ: 22.214.171.124 probed 5218 times. China Mobile Communications Corporation - liaoning
- IP_REJ: 126.96.36.199 probed 5704 times. Beijing Bitone United Networks Technology Service Co.,Ltd, China
- IP_REJ: 188.8.131.52 probed 8212 times. Hangzhou NEWGRAND Software Co., Ltd, China
- IP_REJ: 184.108.40.206 probed 12834 times. FIT Center, Tsinghua University, Beijing China
- IP_REJ: 220.127.116.11 probed 16360 times. WASU TV & Communication Holding Co.,Ltd. 6/F, Jian Gong Building, NO.20 Wen San Road, Hangzhou, Zhejiang province, P.R.China 310012
That's a heck of a lot of illegal accessing attempts from China... Remember, this is not website accesses, these are attempted logins over ssh. There is no way any of this is mistaken SSH, as only I have login access to this box. All of these login attempts are malicious. If you are operating a commercial SSH service and you have no customers in China, you should block the whole damn country.
But who is vps2.barnes-open.net? It's almost the only non-Asian attacker in the whole list. Whois returns:
Registrant Name: Steve Barnes Registrant Organization: BarnesSteve Registrant Street: Shop1, 676 Wynnum Road, Registrant City: Morningside, Brisbane Queensland
Why is this guy, or someone using his services, trying to login to my ssh server? (Or was, the entries are from April 2013.) And why is he trying to log in as user admin? He's also tried dictionary attacks using a variety of first names and service names. Nearly 3,000 attempts? That's no accident, this site was clearly either compromised or is black hat.
- Unsolicited Bulk Email (spam), commercial solicitations, SEO related items, link exchange requests, and abuse are not welcome here and will result in complaints to your ISP.
- Any email to the above address may be made public at the sole discretion of the recipient.