Sunday, 8 July 2018

Who's that knocking? SSH connection attempts...

I have a dedicated server overseas that I use for hosting various things. It's handy to have something that lives in a remote data centre, separate from all the local goings on. It is, however, as a LAMP stack server, out there on the internet, and folks do "knock on the door" frequently.

I've disabled passworded logins, changed the default SSH port (I know in and of itself, it's not a solution, but it does reduce a lot of the brain dead noise) and firewalled off all but the services which must be accessible externally for the server to function.

I still get hits to the OpenSSH server.


Of those that get through to specifying a remote username, I see:
   1640 root
    374 oracle
    182 admin
     28 guest
     10 postgres
     10 mysql
     10 info
      8 server
      8 rootalias
      8 nagios
      6 redhat
      6 minecraft
      6 debian
      4 r00t
      4 plex
      4 pgsql
      4 nexus
      4 news
      4 musicbot
      4 mc
      4 jenkins
      4 grid
      4 gmodserver
      4 git
      4 ftpuser
      4 ftp
      4 firefart
      4 default
      4 cyrus
      4 botmaster
      4 bot
      4 alias
      4 admissions
      4 adm
      2 shop
      2 shell
      2 share
      2 sgi
      2 servercsgo
      2 send
      2 securityagent
      2 secret
      2 sebastian
      2 search
      2 scanner
      2 sb
      2 sara
      2 sandbox
      2 samba
      2 sales
      2 rsync
      2 rpm
      2 rpcuser
      2 rpc
      2 root4
      2 root3
      2 root2
      2 root1
      2 root0
      2 rodrigo
      2 robert
      2 richard
      2 redmine
      2 recruit
      2 rdp
      2 radiomail
      2 quality
      2 qtss
      2 putty
      2 pussy
      2 public
      2 prueba
      2 proxy
      2 projects
      2 ppldtepe
      2 postpone
      2 postmaster
      2 postfix
      2 popa3d
      2 pop
      2 poney
      2 polycom
      2 plexuser
      2 PlcmSpIp
      2 play
      2 phpmyadmin
      2 php
      2 pentaho
      2 paul
      2 party
      2 ovhuser
      2 osmc
      2 operator
      2 operations
      2 operador
      2 openvpn
      2 opensuse
      2 openerp
      2 op
      2 office
      2 odoo
      2 nodeserver
      2 nodejs
      2 nodeclient
      2 node
      2 nobody
      2 nginx
      2 nfsnobody
      2 newsletter
      2 newadmin
      2 neil
      2 nat
      2 named
      2 nagiosuser
      2 musikbot
      2 mongodb
      2 module
      2 mine
      2 miller
      2 mike
      2 michael
      2 media
      2 mcserver
      2 master
      2 mario
      2 marco
      2 manager
      2 mailnull
      2 mailman
      2 mail
      2 lp
      2 log
      2 list
      2 linux
      2 library
      2 kodi
      2 karaf
      2 jsserver
      2 jsclient
      2 js
      2 john
      2 joel
      2 jesus
      2 jerry
      2 jeff
      2 jboss
      2 jay
      2 james
      2 jack
      2 jabber
      2 irc
      2 invitado
      2 intel
      2 install
      2 informix
      2 import
      2 identd
      2 ident
      2 hugo
      2 httpd
      2 http
      2 home
      2 hlds
      2 hduser
      2 hdfs
      2 harrypotter
      2 halt
      2 hadoop
      2 gpadmin
      2 gopher
      2 gnats
      2 glassfish
      2 gituser
      2 github
      2 git3
      2 git2
      2 git1
      2 ghost
      2 george
      2 games
      2 ftpusr
      2 ftptest
      2 ftpadmin
      2 frontrow
      2 frank
      2 fld
      2 faxadmin
      2 fax
      2 eppc
      2 emily
      2 eleve
      2 dstat
      2 dspace
      2 dream
      2 download
      2 D-Link
      2 divine
      2 devuser
      2 devil
      2 developer
      2 dev
      2 desktop
      2 deployer
      2 deploy
      2 demo1
      2 demo
      2 debug
      2 dean
      2 db2inst1
      2 david
      2 dataentry1
      2 database
      2 data
      2 dasusr1
      2 danny
      2 dan
      2 dale
      2 daemon
      2 cyrusimap
      2 csserver
      2 csgoserver
      2 csgo
      2 cpanel
      2 core
      2 control
      2 content
      2 console
      2 confluence
      2 clamav
      2 cisco
      2 christian
      2 chris
      2 charleene
      2 centos
      2 bwadmin
      2 butter
      2 build
      2 brett
      2 bob
      2 biz
      2 bitrix
      2 bin
      2 backuppc
      2 backup
      2 asterisk
      2 arkserver
      2 aptproxy
      2 appserver
      2 appowner
      2 api
      2 apagar
      2 apache
      2 angel
      2 amavisd
      2 amanda
      2 alex
      2 alan
      2 agent
      2 admins
... if you're running an SSH server on the internet, and you have a root account accessible using a password, change that now!

Where's all this sh** coming from? Well, if you trust Maxmind's free GeoIP Country database:
   1400 KR, Korea, Republic of
    265 US, United States
    201 FR, France
    130 CN, China
     84 RU, Russian Federation
     63 HK, Hong Kong
     56 UA, Ukraine
     52 IT, Italy
     51 NL, Netherlands
     50 ES, Spain
     48 TW, Taiwan
     46 SE, Sweden
     45 BG, Bulgaria
     35 GB, United Kingdom
     35 CA, Canada
     34 BR, Brazil
     29 PL, Poland
     27 DE, Germany
     23 JP, Japan
     22 RO, Romania
     22 BE, Belgium
     20 PE, Peru
     20 CH, Switzerland
     16 AU, Australia
      9 SI, Slovenia
      9 IE, Ireland
      9 CO, Colombia
      8 IN, India
      7 EE, Estonia
      7 BY, Belarus
      4 RS, Serbia
      3 PA, Panama
... initially surprised to see ROK (as opposed to DPRK) beat out other places, but I guess it makes sense in that they have very fast internet.

Is there a point to this? Well..
  • Used key and/or multi-factor based authentication where you can
  • No matter what port number you use, folks will knock on your door
  • Expect any username that even vaguely resembles a default, or a service name, to be attempted
  • Never use default passwords, or easily guessed password. If you must use a secret you have to remember, make it a passphrase not just a word

No comments:

Post a Comment