Saturday, March 14, 2009

SSH brute force attack

Recently I bought a dedicated server. One of the provider's admin, which installed the system added an account called "admin1". First I wanted to remove it, but I thought it may be used for some checks and I let it stay. One month later there was some activity on that account from an IP in a "strange" country let's say. I asked the provider about it and they had no idea.
Luckily the box was not compromised since the user didn't got any root access, I killed his processes and removed the account, but I still needed an answer for this mess.
And here it was, after some hundreds sshd[3157]: (pam_unix) authentication failure; there was one sshd[12358]: Accepted password for admin1 from X.X.X.X

A classical brute force attack on a weak password, so make sure you change every password when you buy a new dedicated server.
And to be even safer, put the SSHD on some other port and add some iptables rules to deny ssh access for other IPs than yours.