SSH brute force attacks

I run my weblog on my server, both out of  hobby and because it gives me complete control over the underlying operating system, available software and security mechanisms. As a result, I see all that goes on with this machine, both good and bad.

Since October 24th, the server has been on the receiving end of repeated SSH brute force attacks, meaning an automated process attempting to guess the password of often existing user accounts on servers. Think accounts like “staff”, “root”, or “postmaster”.

Since none of the mentioned accounts exist and/or are not able to login through SSH, these attacks are doomed to fail. The attacks are also rather noisy, meaning they are easy to detect and ward off. They fill up the logs rather quickly with lines like this:

Oct 28 10:10:58 beris sshd[22575]: Failed password for invalid user soporte from port 28568 ssh2

The server is set up to detect and automatically drop connections from hosts after a series of failed logins so SSH brute force attacks are not a cause of much concern. Since the hosts seem to come from a fairly limited set of networks, I got tired of seeing them though. I’ve added the following repeat offenders to the site-wide blacklist, meaning all connection attempts coming from these networks will be unsuccessful:

I apologize to legitimate users of these networks who may wish to use resources on this server but please do not complain to me, complain to your ISP so they get their act together and tackle the people abusing their infrastructure.

As always, the full blacklist, compiled from various sources and updated every 24 hours, can be downloaded here. Using the list in your firewall or other defence mechanism can help you defend against various attacks, not just SSH brute force attacks but also spam runs, etc.

Any thoughts about this? Please leave a comment!

This site uses Akismet to reduce spam. Learn how your comment data is processed.