Couple of days ago I was discussing with one of my coworkers whether we should expose SSH for our local development machines on default port (22) or pick another random port. Why pick another port? Theoretically it could help staying a bit away from open port scanners bots, those who only look for most common ports, but it can’t help if a bot decided to brute force check for open ports. I have an always on Raspberry Pi hooked to my home network and exposes ssh default port publicly, so I thought I would take a look on ssh logs to see what I can expect.
Quick look through logs I found couple of failed login attempts, and though I had already disabled password logins and went for using keys, I freaked out a bit. I greped all successful logins from public IPs and made sure they all made sense. Once I was sure that everything was ok, I started analysing failed logins. I found 3298 failed login attempts since I brought up the pi – which was about a month ago – and was curious what can I get out of this data.
Analysis
When?
Looking at this chart, bots seemed to try for a day or two then take a rest in the other and so on.
I was also interested in when the scans peaked, and there seems to be some correlation between my internet usage times – especially my torrent download times – and scans peak. I would guess some websites and torrent trackers scan the IPs that reach them.
Where?
Then here comes the time for pointing fingers. I grabbed countries free GeoIP database from maxmind, and analysed which countries have most bots. Mother Russia took the first place, followed by Murica then China China China.
How?
But what were they trying to do to get in? Some bots tried to get in with popular usernames couple of times, probably with different passwords, others would only try every username once or twice, and some would mix between the two methods. Looking at what usernames they were trying, admin seems to take the first place, followed by user and test. I was expecting to find root at the top, but surprisingly no bot tried it, but at least ubuntu took some credit.
What to learn?
I must never ever expose ssh or any other port without making sure it’s well secured. Also probably I will stay away from using admin, user and test. I should also rate-limit connections to throttle the brute force scans from the same IP. Though still not sure if changing the port would be useful or not.
P.S. If you’re interested in having a look on logs data, you can view it here.
Ali Essam 