While I was upgrading openssh to 5.x (to make it easier to setup chroot jails for users),
I came across the ssh login attempts from bots.
grep -ir 'invalid user' /var/log/*
/var/log/auth.log.0:Aug 15 18:14:40 sshd: Invalid user production from 18.104.22.168 /var/log/auth.log.0:Aug 15 18:14:42 sshd: Failed password for invalid user production from 22.214.171.124 port 54327 ssh2
That’s when I noticed usernames like
minecraft, eggbreaker2 ,batman ,sir , queen, elmo, frenzy, christmas, idiot, birdseed, einstein123, breast, knight, cookie, eminem, asshole123, googol, denied
and decided to make some graphs with the data.
Using perl I extracted the information from the log files.
This is what I got from ~20.000 failed attempts (spread over couple days)
Bots tried ~5500 invalid usernames in ~15500 attempts
Invalid vs. existing usernames
It’s not surprising ‘root’ came out on top, it was used in 18.8% off all attempts.
That doesn’t seem much but it is, since the bots tried that many different usernames.
You can disable root login by opening sshd_config and changing the ‘PermitRootLogin’ setting to ‘no’.
# Authentication: PermitRootLogin no
Don’t forget to restart the SSH daemon.
P.S. don’t lock yourself out by forgetting you other administrator users passwords
Found out Symantec did the same thing a year ago, you can check their findings and recommendations if you want to protect against these attacks.
Setup a chroot jail
We have no FTP running on our server, users need to connect through SFTP.
Everyone gets a unix user and home folder on the server, to hide the server structure and
limit the users to their home folder we had to setup chroot. It also blocks those user to login
with SSH, SFTP is the only allowed service.
Creating a chroot jail is fairly easy providing you use openssh 5.x.
This explanations is only valid for those versions, and I assume openssh is correctly installed.
If you need to install openssh I suggest you visit http://adamsworld.name/chrootjailv5.php
Mine is located at /etc/ssh/sshd_config (depending on your installation)
Comment all lines starting with ‘Subsystem’ and add ‘Subsystem sftp internal-sftp’.
Add the 4 lines containing the match block at the end of the file.
# Subsystem sftp /usr/lib/openssh/sftp-server # Setting up chroot jail Subsystem sftp internal-sftp Match group users ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no
This jails all users in the group ‘users’ to their home folder. You can also jail induviduals with another match rule : ‘Match user username’.
Change ownership & rights
Create the group ‘users’, and add the persons you want to jail to the group.
The jail needs to be owned by the root user, so lets say you want to jail ‘john’ (homefolder : /home/john.com)
chmod 755 /home/john.com chown root:root /home/john.com
Restart SSH daemon
# Debian, Ubuntu sudo /etc/init.d/ssh restart #Fedora, CentOS sudo /etc/init.d/sshd restart
And you’re done!
The files and directories inside the home-folder can have whatever rights and owner you please.