Security Basics: Analysis of SSH-based malicious login attacks

Author: atomic_age Compilation

Introduction

In recent years, a large number of SSH-based malicious logon attack records have emerged in some network logs. This article uses the honeypot trap to analyze such attacks. Finally, this article provides some suggestions on how to prevent such attacks.

Research on the use of Honeypot

The New Zealand Honeynet alliance, a branch of the New Zealand Honeynet alliance, focuses on studying hacker behavior, attack methods, and tools they use through honeypot technology, this improves the security of networks and computer systems. The honeypot itself is also a computer system, but unlike other computer systems, the honeypot is a computer system specifically used to lure hackers into attacks. A honeypot can be used as a valuable computer system to allow hackers to attack it and save these attack records. With these attack records, we can analyze them or use a honeypot to protect the real computer system from being attacked. That is to say, hackers can attack the honeypot computer system, rather than a real computer system, this is equivalent to a computer system "shadow ".

To study cyberattacks at the University of New Zealand, we have installed a honeypot system at Victoria University in Wellington. This Honeypot system is highly interactive. Like other normal machines on the network, hackers are not aware of whether they are attacking a honeypot or a real computer system. We can use this Honeypot system to monitor all outbound and inbound data from this system. In addition, all system events are recorded by the system logs.

This system runs on a standard SSH server of RedHat 9 Linux and can be accessed over the Internet. SSH allows you to log on to another computer in encrypted mode. We have installed the honeypot system to prevent SSH malicious logon attacks. We use this system to record all login usernames and passwords. The system was launched on September 11, and stopped on September 11. During these 22 days, the honeypot system was attacked multiple times. We analyze hacker attack records and recommend some solutions to improve SSH security.

SSH malicious login Analysis

We will analyze the data captured by the honeypot from January 1, July 11-8. The data comes from the log system of the honeypot. The log system intercepts many login request information to the server, including the date, time, IP address, request result (successful or failed), and account name and password used for login requests. The following is a simple Logon Request log.

The following is a reference clip: Jul 13 09:37:59 basta sshd [22308]: PW-ATTEMPT: fritzJul 13 09:37:59 basta sshd [22308]: Failed password for root from 10.0.160.14 port 39529 ssh2 Jul 13 09:38:02 basta sshd [22310]: illegal user fatacunike from 10.0.160.14Jul 13 09:38:02 basta sshd [22310]: PW-ATTEMPT: fatacunikeJul 13 09:38:02 basta sshd [22310]: Failed password for illegal user fatacunike from 10.0.160.14 port 40444 ssh2

First, we will analyze the account name used for logon. The above logs are only a small part of attack records, of which 2741 different attack attempts were made during this period. In this example, they use common usernames, system usernames, and usernames sorted alphabetically. However, we found that 15 accounts were frequently used. See table 1. Most accounts displayed in this table exist in general systems, such as root, admin, and guest. Figure 1 shows the proportion of accounts in the system that exist and do not exist.

Account name	Number of logon attempts
Root	1049
Admin	97
Test	87
Guest	40
Mysql	31
Info	30
Oracle	27
Postgres	27
Testing	27
Webmaster	27
Paul	25
Web	24
User	23
Tester	22
Pgsql	21

  Table 1 Top 15 Accounts Figure 1 Proportion of accounts that exist and do not existNext, let's take a look at the password they used for malicious login. Most passwords used by attackers are related to the account name. In this data, attackers use 3649 different passwords. Not every user uses these passwords. These passwords are sequential numbers or letters, and some are keyboard-ordered characters (such as 'asdfg '). There are also some more complex passwords, such as r00t or c @ t @ lin. Table 2 shows the 15 most frequently used passwords.

Password	Number of times used
123456	331
Password	106
Admin	47
Test	46
	36
12345	34
Administrator	28
Linux	23
Root	22
Test123	22
1234	21
123	20
Mysql	19
Apache	18
Master	18

Table 2 uses the 15 most frequently used passwords. Then we analyze who is attacking the honeypot system and the rules of these attacks. In this attack, 23 different IP addresses are used for malicious login. Some of these attacks do not count, but some do not give up. Table 3 shows attacks against these 23 IP addresses. Among these IP addresses, 10 are attacked less than 50, 5 are attacked about 170, and 8 are attacked more than 1450. Figure 2 shows the distribution of these IP attacks.

Number of attacks	IPQuantity
<