SSH Brute Force Attempts
Quite a while ago I modified an instance of sshd to log the client version and password for every attempted login. I then set it listening on a seperate interface that I never log into. I finally got a chance to parse the logs (3 grep lines to dump data from the auth logs and 27 lines of python to generate a CSV to load in excel). The result was 12,214 attempts from 27 different source addresses.
The top 10 offending IPs were:
| 209.160.20.243 | 2752 |
| 211.144.121.116 | 2153 |
| 89.33.253.232 | 1557 |
| 24.72.23.27 | 1522 |
| 203.185.29.143 | 848 |
| 63.219.16.13 | 689 |
| 79.190.88.34 | 606 |
| 212.2.125.67 | 543 |
| 82.207.66.14 | 357 |
| 61.221.41.96 | 328 |
| Grand Total | 11355 |
On the username side, root came in at number one (did anyone not see that coming?) and the top 10 usernames accounted for roughly 1/3 of the attempts:
| root | 3336 |
| test | 256 |
| admin | 165 |
| oracle | 123 |
| ts | 85 |
| tester | 79 |
| nagios | 78 |
| tss | 77 |
| ts2 | 75 |
| testing | 74 |
| Grand Total | 4348 |
I also don't think that there's much of a surprise with the top 10 passwords:
| 123456 | 604 |
| password | 369 |
| 12345 | 200 |
| test | 179 |
| test123 | 163 |
| passwd | 136 |
| 123 | 114 |
| 1234 | 87 |
| qwerty | 71 |
| abc123 | 59 |
| Grand Total | 1982 |
I will most likely post the file going forward or release additional numbers (I'll admit that I'm kinda curious to read through all the usernames used), either way, there will be more data.