It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The Internet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses.
Usernames are being brute forced starting at “aaa” and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there were only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities. Perhaps it is a bug, or by design. The last letter was not being exhaustively tested — only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked.
The widespread problems that have plagued SSH in the last few months are making it an attractive target for the attackers just looking to rattle doorknobs and see which ones pop open. If you haven’t already, now would be a good time to check your SSH server and make sure the password isn’t “aaa.”