- Netflow Solutions
The secure shell protocol (SSH) is probably the most common way for Unix administrators to perform remote administration of their servers. Since all SSH implementations support password authentication, brute-force password attempts have become a common attack vector for hackers attempting to harvest hosts for botnets and DDOS attacks.
By propagating large lists of common username/password combinations, hackers can use the already compromised systems as a distributed network to try passwords on new IP addresses. Each compromised system then becomes another worker that tries to compromise more servers.
We have SSH servers, and see this activity very often. Below is a view of all server port 22 (SSH) sessions, where IP addresses are ranked by sessions initiated (regardless of session size). It quickly becomes clear that most of these attacks try up to about 1,500 passwords before giving up and moving on.
This is scary activity, and any host trying more than a couple of SSH sessions per hour most likely be considered malicious, unless their activity is known to be benign. To find out if any of the password attempts were successful, simply add another filter line. By filtering on communications where the server returned more than at least 100 or more packets we get only those SSH communications where a login was successful. See any suspicious addresses?
Most brute-force password viruses will install a bot that tries to propagate itself by making many outbound SSH connections from your system. Filter on your client IP with your local (or intneral NAT) CIDR block to find if you have any systems in your network that initiate a larger than usual number of SSH connections:
Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »
Advanced Threat Intelligence Services Added to FlowTraq Q2/13
Faster, more powerful, FlowTraq Q2/13 delivers detailed view of the potential network threats with NBI threat management and new threat intelligence service.
Have You Been Targeted by Chinese Espionage Units?
How to use Mandiant's Analysis and FlowTraq to Identify Threats: Mandiant's excellent analysis "APT1: Exposing One of China's Cyber Espionage Units" identifies a broad set of IP addresses...
Monitoring Your Security Measures: port knocking
Learn how to use knockd with FlowTraq to monitor security measures on SSH Server.