There's a Surge In Attempts to Compromise SSH Passwords

« An Interview With AOL's Chief Privacy Officer | Main | Shorter Charter: We'd Rather You Just Not Read the Privacy Advisory in the First Place »

May 13, 2008

There's a Surge In Attempts to Compromise SSH Passwords

Sounds like it’s time to review your password policy for accounts with ssh access.
From SANS, a rundown on a recent surge in brute-force attempts on ssh:

“From the most recent reports I have seen, the attackers have been using either ‘low and slow’ style attacks to avoid locking out accounts and/or being detected by IDS/IPS systems. Some attackers seem to be using botnets to do a distributed style attack which also is not likely to exceed thresholds common on the network.

“So be warned that there does appear to be a bit more activity involving SSH and weak or otherwise guessable passwords. This would be a great time to do some investigation on your local network to see what servers have SSH open to the world on the default port, and may need to have its security posture reassessed.”

(Link)

I ran an item by Paul Rubens on how to use Hydra just last week:

“Online attacks are more than just slow. There are many security hurdles to overcome. Many servers have security features which limit the number of failed password attempts that are allowed before the account is suspended, your IP address is blocked or the period before a new login attempt can be made is extended. They should also log where failed attempts are coming from and alert administrators.

“This makes it hard for a hacker to carry out an online attack on your systems. Which is good. The question is how hard? Do the systems work? Would you know if someone was carrying out an online attack, and what would you do about it?

“The best way to answer these questions is to carry out an online attack yourself, and see how far you get.”

Previously: