Aaron Poffenberger

Anyone who knows me, reads this site or follows me on twitter know I have a thing for security. I'm not a member of tin-foil-hat brigade but I like to keep things locked down tight. A while back I posted a snapshot from my web-server log showing all the various URLs hackers were testing to find a vulnerability in my server. Following are some scary stats from my ssh authlog.

One of the keys to a secure server, in addition to running necessary services only, is limiting who can login remotely. OpenSSH is the de facto standard for remote logins. I make sure OpenSSH is configured to disallow root logins; require public-key authentication; and only permit users in the AllowUsers section to login. Those three settings will defeat many, perhaps all, brute-force attempts to login to the server remotely.

In case you don't think your server is a target for brute-force login attempts, consider the following. Since February 18th, 2011 (~10 days) there have been 7156 blocked login attempts to one of my servers. Of those, 6851 have been attempts to login as root; only 305 have been for other users. Who needs a remote exploit if you can gain root by trying to login with an easy-to-guess password. At ~685 login attempts per day for the root account an attacker can try 250,025 different passwords in a year. Are you sure your root password is unguessable?

If you're starting to feel a bit uneasy, here are the key lines you'll want to edit in your sshd_config to tighten-up your ssh login security:

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
AllowUsers loginid1 loginid… loginidn

Make sure also that any user who is authorized to login is not in the sudoers file. Make the user 'su -' to another account before being able to use sudo. Even with public-key login requirements don't make it any easier for an attacker to gain root. Firewall/server users who can login shouldn't have any access to root privileges.

Now for the data. Here's a small snapshot from the authlog. Notice the frequency of the attempts, typically every second while the server is the subject of the probe. You can't see it from the sample, but the probes last for just a few minutes and then stop for as little as an hour or as long as 14 hours. The IP address the probe originates from changes each time. Almost without exception, though, I've traced them back to APNIC (Asia-Pacific Network Information Centre) blocks.

They're not listed in the sample below, but login ids tested other than root include: bin operator www smmsp nobody sshd named daemon popa3d uucp proxy. You'll notice they're common accounts found in passwd. The list also includes a few account names from email addresses.

If you're running OpenBSD or any other Unix-like operating system that has pf(4) as a firewall, you can configure pf to block IP addresses with too many connections or too many attempts in a given period of time. Rate limiting should work on many of these probe sources given the frequency with which they try to connect.

authlog:Feb 28 04:38:45 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:38:47 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:38:47 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:38:49 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:21 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:23 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:24 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:25 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:26 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:27 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:28 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:29 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:30 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 04:39:32 home sshd: User root from 77.223.141.44 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:09 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:10 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:10 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:11 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:11 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:12 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:13 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:13 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:14 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:14 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:15 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:15 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:16 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:16 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:17 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:17 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:18 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:18 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:19 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:19 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:20 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:21 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:21 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:22 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:22 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:23 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:23 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:24 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:24 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:25 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:25 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:26 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:26 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:27 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:27 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers
authlog:Feb 28 22:21:28 home sshd: User root from 69.198.225.208 not allowed because not listed in AllowUsers