Analysis on Malicious SSH Login Attempts
Last week when I tried to login to a remote test server, SSH timeout exception occured quite frequently. I didn’t pay much attention untils an internal monitoring system detected there were some potential malicious activities in that server.
I noticed that when I logined into the server, SSH told me that there were about 2k failed SSH login attempts before this success one.
Someone is hacking the server.
I went to
/var/log and checked the login history:
grep -i fail /var/log/secure | less
Holy, there were about 40k failed attempts within last two days. In order to get more details, I need to figure out where did these requests come from and what did they do.
# This script generates the list of users
Here is a list of top users,
Like these strange usernames, I can not get any useful information from IP distribution, most of them point to proxy server. The only thing that I can do is to block these frequent IPs to reduce resource cost by using