Thanks to the end-of-term for many colleges and some K12 schools, brute-force attacks against SSH servers surged sharply this past weekend, according to the SANS Internet Storm Center. The sudden jump in SSH attacks merits a re-examination of how such servers should be properly secured. Jim Owens and Jeanna Matthews of the Department of Computer Science at Clarkson University have published a paper on the methods that such attacks frequently employ and on the best ways to defeat them.

Linux systems may be secure against the viruses and trojans that can infect Windows, but running Linux, in and of itself, provides no protection against the type of brute force assaults Owen and Matthews discuss. The two performed their experiment by setting up three honeypots in three separate locations, with one system located on a college campus, one in a small business, and one at a residence on a traditional DSL connection.

Data from the three systems suggests that brute-force attackers often attempt to validate using "root." Attacks with this username accounted for 25.7 percent of the total login attempts observed. The password chosen often matched the login (i.e., root/root or guest/guest), or was a simple derivative of the login (Michael/Mike or William/Bill). When put side by side, the list of attempted passwords for each of the three honeypots shows a surprising amount of correlation.

Twelve of the top twenty password attempts were shared between all three servers, while a further five were shared between two servers. The high prevalence of shared passwords led the two computer scientists to conclude that the attacks were launched using a common set of at least five attack dictionaries. As shown in the table above, some of these dictionaries include strong passwords, and the authors recommend actively considering the listings of popular attack dictionaries when selecting passwords.

SSH brute force attacks themselves have evolved considerably. The very words "brute force" may conjure an image of a mightily thewed barbarian hacking away with an axe, but modern assaults more closely resemble the careful actions of a thief attempting to avoid detection while picking a lock. Evidence suggests that some would-be hackers are now attacking via botnets, and they launch just a handful of login attacks per IP address in order to avoid triggering intrusion-detection software. This new attack variant is referred to as a slow-motion brute-force attack, and researchers expect to see more of them as hackers refine the process.

If you've got an SSH server that you want to secure from brute-force attack, Owens and Matthews recommend taking several steps. First, all passwords should be strong, usernames should be non-obvious, and SSH logins for the root account should be disabled. The two also recommend running the SSH server on a non-standard high port, though they recognize that this is a "security through obscurity" tactic, and they advocate the use of software capable of parsing log files and noting multiple failed login attempts. These steps, taken in aggregate, should be sufficient to protect an SSH server, even if the number of attacks continues to rise.