Strong passwords no panacea as SSH brute-force attacks rise

Thanks to the end-of-term for many colleges and some K12 schools, brute-force attacks against SSH servers surged sharply this past weekend, according to the SANS Internet Storm Center. The sudden jump in SSH attacks merits a re-examination of how such servers should be properly secured. Jim Owens and Jeanna Matthews of the Department of Computer Science at Clarkson University have published a paper on the methods that such attacks frequently employ and on the best ways to defeat them.

Linux systems may be secure against the viruses and trojans that can infect Windows, but running Linux, in and of itself, provides no protection against the type of brute force assaults Owen and Matthews discuss. The two performed their experiment by setting up three honeypots in three separate locations, with one system located on a college campus, one in a small business, and one at a residence on a traditional DSL connection.

Data from the three systems suggests that brute-force attackers often attempt to validate using "root." Attacks with this username accounted for 25.7 percent of the total login attempts observed. The password chosen often matched the login (i.e., root/root or guest/guest), or was a simple derivative of the login (Michael/Mike or William/Bill). When put side by side, the list of attempted passwords for each of the three honeypots shows a surprising amount of correlation.