May 16, 2008
According to the SANS Internet Storm Center, in the last few weeks, brute-force attacks against Linux
SSH servers have increased sharply, especially since May 10.
Most experts agree that Linux servers are more secure against the viruses and trojans that can severely
infect a Windows system, but running Linux still provides little or no protection against the type of
brute force assaults that were analyzed by SANS in the past week alone.
The Internet Storm Center experimented by setting up three 'Linux honeypots' in three separate locations,
with one server located on a college campus, one in a small business and one at a residence on a DSL Internet
connection. A 'honeypot' is a term used by Internet security experts
that describe a server that was especially setup to 'trap' potential attackers and analyze their actions.
Honeypots can be setup on Linux servers as well as those
running on Windows.
The sudden jump in SSH attacks merits a re-examination of how Linux servers should be properly secured.
Jim Owens and Jeanna Matthews of the Department of Computer Science at Clarkson University have published a
paper on the various methods that such attacks frequently employ and on the best ways to defeat them.
Overall data from the three Linux servers used in these tests suggests that brute-force attackers often
attempt to validate using "root." Attacks with this username accounted for over 25.6 percent of the total login
The password chosen often matched the login, or was a simple derivative of the login. When put side by
side, the list of attempted passwords for each of the three honeypots shows a surprising amount of correlation.
On average, 12 of the top 20 password attempts were shared between all three servers, while a further 5 were
shared between 2 servers.
The very high prevalence of shared passwords led the two computer scientists to conclude that the attacks
were launched using a common set of at least 5 attack dictionaries. Some of these dictionaries include strong
passwords, and the authors recommend actively considering the listings of popular attack dictionaries when
If you or your company own and manage a Linux SSH server that you want to secure from potential brute-force
attacks, Owens and Matthews recommend taking several steps. First, all passwords should be strong, usernames
should be non-obvious, and SSH logins for the root account should be completely disabled.
Owens and Matthews also recommend running the SSH server on a non-standard high port, though they recognize
that this could be called a security through obscurity method, and they advocate the use of software capable
of parsing log files and noting multiple failed login attempts.
Taken in aggregate, such safety measures should usually be sufficient to protect a Linux server, even if
the number of attacks continues to rise in the coming weeks.
In just the past year alone, brute force attacks on Web servers have evolved considerably, and the trend
seems to be accelerating. The very words "brute force" may conjure an image of a dangerous barbarian hacking
away with an axe, but modern Internet assaults more closely resemble the careful actions of a thief attempting
to avoid detection while picking a door lock.
Recent evidence suggests that some would-be hackers are now attacking via botnets, as they launch just a
handful of login attacks per IP address in order to avoid triggering intrusion-detection software. This new
attack variant is referred to as a slow-motion brute-force attack, and researchers expect to see more of them
as hackers refine the process.
Source: The SANS Internet Storm Center.
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development,
professional Web hosting services, Linux
security, Linux Web development, etc.
Inquire about our reasonable advertising rates
on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn
about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.