FlowTraq > Netflow Solutions > SSH Brute-Forcing

SSH Brute-Forcing

The secure shell protocol (SSH) is probably the most common way for Unix administrators to perform remote administration of their servers. Since all SSH implementations support password authentication, brute-force password attempts have become a common attack vector for hackers attempting to harvest hosts for botnets and DDOS attacks.

By propagating large lists of common username/password combinations, hackers can use the already compromised systems as a distributed network to try passwords on new IP addresses. Each compromised system then becomes another worker that tries to compromise more servers.

We have SSH servers, and see this activity very often. Below is a view of all server port 22 (SSH) sessions, where IP addresses are ranked by sessions initiated (regardless of session size). It quickly becomes clear that most of these attacks try up to about 1,500 passwords before giving up and moving on.

This is scary activity, and any host trying more than a couple of SSH sessions per hour most likely be considered malicious, unless their activity is known to be benign. To find out if any of the password attempts were successful, simply add another filter line. By filtering on communications where the server returned more than at least 100 or more packets we get only those SSH communications where a login was successful. See any suspicious addresses?

Most brute-force password viruses will install a bot that tries to propagate itself by making many outbound SSH connections from your system. Filter on your client IP with your local (or intneral NAT) CIDR block to find if you have any systems in your network that initiate a larger than usual number of SSH connections:

Get Started

Learn More

Free Flow Exporter

Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »