Analysis on Malicious SSH Login Attempts
Last week when I tried to login to a remote test server, SSH timeout exception occured quite frequently. I didn’t pay much attention untils an internal monitoring system detected there were some potential malicious activities in that server.
I noticed that when I logined into the server, SSH told me that there were about 2k failed SSH login attempts before this success one.
Someone is hacking the server.
I went to /var/log
and checked the login history:
1 | grep -i fail /var/log/secure | less |
Holy, there were about 40k failed attempts within last two days. In order to get more details, I need to figure out where did these requests come from and what did they do.
1 | # This script generates the list of users |
Here is a list of top users,
Amount | Username | Amount | IPs |
---|---|---|---|
75381 | 1 | 2913 | 59.56.110.209 |
53914 | user | 2501 | 59.14.66.191 |
12097 | log | 383 | 82.235.192.233 |
2313 | unknown | 198 | 61.188.189.7 |
1156 | service | 163 | 123.31.34.215 |
570 | admin | 122 | 123.16.141.221 |
289 | linux | 115 | 198.167.140.168 |
235 | test | 91 | 202.96.30.210 |
232 | app | 90 | 91.224.160.184 |
205 | oracle | 77 | 222.215.118.68 |
179 | ubnt | 72 | 195.225.58.195 |
166 | pos | 64 | 179.43.141.216 |
153 | postgres | 57 | 179.43.141.225 |
148 | temp | 50 | 123.31.34.44 |
146 | monitor | 39 | 183.131.83.224 |
146 | cisco | 37 | 185.128.41.117 |
143 | ziyuan | 20 | 163.172.16.102 |
143 | superman | 14 | 171.251.76.109 |
143 | sever | 10 | 45.63.61.171 |
143 | root123dmk.com | 10 | 202.196.0.243 |
143 | linuxer | 4 | 118.193.214.29 |
Like these strange usernames, I can not get any useful information from IP distribution, most of them point to proxy server. The only thing that I can do is to block these frequent IPs to reduce resource cost by using fail2ban
.