The basics: we use usernames to identity a person to a computer system. A password is commonly required in order to ensure that only the proper person is using the username. Hackers know that at least some passwords for most systems are usually weak or easily guessed, and they will often attempt to access computers using password guessing programs. These attacks are often attempted to my systems on the Internet, which are accessible via ssh. Ssh allows for command line access to a remote system over the network, and is a very useful tool to administer systems remotely. Ssh allows an administrator to copy files up to a remote server and down from a remote server too.
Access to ssh is usually authenticated through a username and password, as is the case with most system access. (While authentication based upon a username and password is not great, it is the most scalable option available today.) Ssh, a widely available tool, is recommended for use since it encrypts traffic, which reduces the ability for hackers to sniff account passwords. (Password sniffing is a problem with http, ftp and telnet communications.)
As ssh has grown in popularity, hackers have needed to devise new methods for breaking into ssh protected systems. One class of ssh hacking tool is SSHater, a tool that will try to guess valid usernames and passwords via ssh. Back to my systems on the Internet. I have configured my ssh server to log all invalid username/password attempts to the audit log, along with the IP address where the attempt originated. Here is a sample from my audit log.
type=USER_LOGIN msg=audit(1291694386.586:32619): user pid=17683 uid=0 auid=4294967295 ses=4294967295 msg=’op=login acct=”root” exe=”/usr/sbin/sshd” hostname=? addr=22.214.171.124 terminal=sshd res=failed’
I have gone through my last year’s worth of audit logs to summarize the most oftenly guessed usernames and sources of hacking attempts. The most commonly guessed usernames are:
Runner-ups were; student, cyrus, mythtv, administrator, temp and apache.
And, here are the top IP addresses that have been trying to get in:
- 126.96.36.199 (dedserver.net, a dns name with no website!)
- 188.8.131.52 (korea)
- 184.108.40.206 (china)
- 220.127.116.11 (korea)
- 18.104.22.168 (turkey)
- 22.214.171.124 (korea)
- 126.96.36.199 (pakistan)
- 188.8.131.52 (ohio, USA)
- 184.108.40.206 (korea)
- 220.127.116.11 (turkey)
- 18.104.22.168 (china)
- 22.214.171.124 (mexico?)
- 126.96.36.199 (korea)
What can we learn from this? First, notice that the username “root” is one of the most popular usernames guessed. That is because many UNIX systems are configured with a “root” account, and that account usually has full privileges. It is the account a hacker would most like to obtain for a system. To protect against this, make sure that root logins are disabled via the Internet. It is preferable to have a system administrator log in with their own userid, then “su” to a root level account.
Three of the top 10 are accounts (oracle, postgres and mysql) are database accounts. So, if you have these databases and they need to be admininistered from the Internet, be sure that you have secured your database usernames.
Accounts such as admin and guest are typically generic accounts shared by many people. These accounts usually have weak passwords and should be avoided.
In summary, remember to:
- disable root level logins via ssh.
- change default passwords for any and all default accounts.
- review the audit log for login successes from unknown IP addresses.
- review the audit log for login failures to keep an eye on the latest accounts that are being guessed against your system.