Brute-force SSH attacks surge

By

An incident handler from SANS' Internet Storm Center has warned businesses to ensure their servers are secure as SSH attacks rose five-fold early this week


An SSH attack is a type of dictionary attack which aims to guess secure shell client usernames and passwords.

Writing in the ISC's website diary, incident handler Scott Fendley warned security professionals to be aware of what he called a "significant new trend".

He linked to statistics produced by denyhosts.net, a site which offers a script to defend against SSH hacking attempts, which showed a huge spike in SSH attacks on Monday.

In total, the site found nearly 10,000 SSH attacks on that one day: the daily norm is roughly 2,000. He added that anecdotal evidence from mailing lists confirmed the trend.

"This does appear to be a significant new trend of which we all should be aware," wrote Fendlay, who is also a security analyst at the University of Arkansas.

He suggested businesses should check which of their servers have SSH open to outsiders on the default port. He also suggested:

- Using host-based tools such as DenyHosts, fail2ban or BlockHosts in conjunction with TCP-Wrappers to block access to servers;
- Disabling access to the root account;
- Making sure usernames were not easily guessable;
- Using multiple factors of authentication or public keys if possible;
- Generally reducing the number of publicly accessible services through iptables or similar host-based security measures, in addition to using network firewalls.

Fendley said that hackers were trying to avoid detection by launching 'low and slow' attacks which avoid locking out accounts and being detected by intrusion detection systems. Some attackers were using botnets to perform distributed attacks to keep under detection thresholds, he said.

Fendley linked to a whitepaper from New York's Clarkson University which investigated methods used in brute-force SSH attacks.

SANS last year noted the widespread nature of brute-force password-guessing attacks. It said such attacks against SSH, FTP and Telnet servers were "the most common form of attack to compromise servers facing the internet."
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
attacksbruteforcesecuritysshsurge

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul
CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
WestJet probes cyber security incident

WestJet probes cyber security incident
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?