Analyzing Malicious SSH Login Attempts

While I was upgrading openssh to 5.x (to make it easier to setup chroot jails for users),
I came across the ssh login attempts from bots.

grep -ir 'invalid user' /var/log/*

Example output

/var/log/auth.log.0:Aug 15 18:14:40 sshd[20296]: Invalid user production from
/var/log/auth.log.0:Aug 15 18:14:42 sshd[20296]: Failed password for invalid user production from port 54327 ssh2

That’s when I noticed usernames like

minecraft, eggbreaker2 ,batman ,sir , queen, elmo, frenzy, christmas, idiot, birdseed, einstein123, breast, knight, cookie, eminem, asshole123, googol, denied

and decided to make some graphs with the data.
Using perl I extracted the information from the log files.
This is what I got from ~20.000 failed attempts (spread over couple days)

Popular usernames

Existing usernames

Existing usernames top 20

Invalid usernames

Bots tried ~5500 invalid usernames in ~15500 attempts

Invalid usernames top 50

Invalid vs. existing usernames



It’s not surprising ‘root’ came out on top, it was used in 18.8% off all attempts.
That doesn’t seem much but it is, since the bots tried that many different usernames.

You can disable root login by opening sshd_config and changing the ‘PermitRootLogin’ setting to ‘no’.

# Authentication:
PermitRootLogin no

Don’t forget to restart the SSH daemon.

P.S. don’t lock yourself out by forgetting you other administrator users passwords 😉

SSH Recommendations

Found out Symantec did the same thing a year ago, you can check their findings and recommendations if you want to protect against these attacks.

Setup a chroot jail

We have no FTP running on our server, users need to connect through SFTP.
Everyone gets a unix user and home folder on the server, to hide the server structure and
limit the users to their home folder we had to setup chroot. It also blocks those user to login
with SSH, SFTP is the only allowed service.

Creating a chroot jail is fairly easy providing you use openssh 5.x.
This explanations is only valid for those versions, and I assume openssh is correctly installed.
If you need to install openssh I suggest you visit

Modify sshd_config

Mine is located at /etc/ssh/sshd_config (depending on your installation)
Comment all lines starting with ‘Subsystem’ and add ‘Subsystem sftp internal-sftp’.
Add the 4 lines containing the match block at the end of the file.

# Subsystem sftp /usr/lib/openssh/sftp-server
# Setting up chroot jail
Subsystem sftp internal-sftp    
Match group users
       ChrootDirectory /home/%u
       ForceCommand internal-sftp
       AllowTcpForwarding no

This jails all users in the group ‘users’ to their home folder. You can also jail induviduals with another match rule : ‘Match user username’.

Change ownership & rights

Create the group ‘users’, and add the persons you want to jail to the group.
The jail needs to be owned by the root user, so lets say you want to jail ‘john’ (homefolder : /home/

chmod 755 /home/
chown root:root /home/

Restart SSH daemon

# Debian, Ubuntu
sudo /etc/init.d/ssh restart
#Fedora, CentOS
sudo /etc/init.d/sshd restart

And you’re done!
The files and directories inside the home-folder can have whatever rights and owner you please.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks