Two previous rounds of analysis using IP geolocation with Whois (Part 1 and Part 2) revealed that 40% to 45% of network intrusion attempts arriving at my public-facing SSH port could be traced back to Chinese hackers, and 20% to 25% to attackers in Russia and Eastern Europe. The tally is now in from a third round of observations, boasting a significantly longer integration period (more than four months versus about six to seven weeks in the earlier rounds) and yielding plenty of interesting and even unexpected results.
First things first: logs do not lie, SSH Scan attacks are on the rise. Attacks occurred with an average frequency in round one of 0.583 per day; in round two there were 1.065 attacks seen per day; and in the round closing, I logged 1.417 attacks per day on average. Considering the total span of time under view as just eight short months, I would describe this escalation in the rate of a rather specialized and esoteric attack as rapid and alarming, and carrying the implication that more commonplace network attacks are likewise intensifying.
On 180 occasions between October 10, 2009 and February 13, 2010, intruders from 154 different IP addresses in 37 different counties were caught trying to gain illicit access to my server by dictionary attacking SSH service. Every one of these attackers was promptly blacklisted automatically by fail2ban. Repeat offenders numbering 16 came back for further punishment, none more frequently than our old friends at 61.129.60.23, “Shanghai Telecom Corporation EDI Branch” in Shanghai, China, familiar from being banned three times in round two – banned six times this round.
China maintained the dubious distinction of leadership position among all regions, chalking up 76 out of the 180 observed attacks or 42% share, consistent with expectations from past rounds. In fact, as the chart below illustrates, all other attack origins besides China occurred at a fraction the rate by comparison, suggesting more or less uniform or “background” frequency for their regions, leaving China dominant alone over all the world. (Better get used to that.)
Meanwhile, Russia and Eastern Europe logged an unexpectedly low share of all attack activity in light of past rounds, picking up only 15 attacks or 8% share. The same chart in earlier rounds showed 20% to 25% aggregate representation from Russia, Poland, and other satellite states of the former USSR – less pronounced than China but significantly greater than other regions. What happened to all the ex-Soviet bloc hackers that were tripping over themselves to break into my unremarkable Linux server prior to October? To tell you the truth, I don’t know. Either some factor caused this region to be spuriously overrepresented in rounds one and two, or some factor caused it to be spuriously underrepresented in round three, or the falloff is real.
China’s continued domination within the network intrusion arena should come as no surprise amid last month’s highly publicized allegations of state-sponsored electronic espionage and cyberwarfare, delivered at the hands of victimized Google. Forensics investigators purport that valuable data was bounced back to attackers through command and control servers in Illinois, Texas, and Taiwan, while Texas-based Rackspace, Inc. – from whose IP block, by the way, we were surreptitiously scanned in both rounds two and three – was specifically implicated. A malicious agent (Chinese or otherwise) that wished to mount attacks against valuable targets and dispose of their tracks after the fact would require to amass networks of such intermediate relays. The wide area network intrusion vector, unlike say, web or file-packaged attack vectors that target the endpoint, conveniently selects for systems that already have desirable open network posture and can act as relays once compromised.
For the record, here is the complete round three log detail:
2009-10-10 17:36:09,708 fail2ban.actions: WARNING [ssh] Ban 118.102.25.161 2009-10-11 08:25:28,208 fail2ban.actions: WARNING [ssh] Ban 218.206.243.243 2009-10-11 12:25:53,248 fail2ban.actions: WARNING [ssh] Ban 60.220.224.103 2009-10-11 13:59:52,288 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-10-12 04:46:43,358 fail2ban.actions: WARNING [ssh] Ban 82.118.208.167 2009-10-13 11:57:10,418 fail2ban.actions: WARNING [ssh] Ban 60.220.224.103 2009-10-13 18:26:40,478 fail2ban.actions: WARNING [ssh] Ban 217.8.80.220 2009-10-13 19:55:50,538 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184 2009-10-14 22:34:40,608 fail2ban.actions: WARNING [ssh] Ban 62.173.39.252 2009-10-15 09:24:09,688 fail2ban.actions: WARNING [ssh] Ban 173.15.102.65 2009-10-15 16:39:16,738 fail2ban.actions: WARNING [ssh] Ban 94.137.254.29 2009-10-16 02:53:34,798 fail2ban.actions: WARNING [ssh] Ban 190.81.28.182 2009-10-16 09:01:21,868 fail2ban.actions: WARNING [ssh] Ban 84.204.138.52 2009-10-16 14:16:53,958 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2 2009-10-16 19:28:09,018 fail2ban.actions: WARNING [ssh] Ban 59.52.255.63 2009-10-16 22:20:14,188 fail2ban.actions: WARNING [ssh] Ban 66.152.190.219 2009-10-17 16:13:07,308 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184 2009-10-18 09:58:48,758 fail2ban.actions: WARNING [ssh] Ban 77.247.212.56 2009-10-18 20:25:07,818 fail2ban.actions: WARNING [ssh] Ban 89.238.130.130 2009-10-19 03:53:36,858 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120 2009-10-19 05:42:36,908 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120 2009-10-20 10:28:29,068 fail2ban.actions: WARNING [ssh] Ban 117.21.241.10 2009-10-20 16:01:21,118 fail2ban.actions: WARNING [ssh] Ban 61.7.231.114 2009-10-21 07:34:29,188 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-10-25 13:04:55,820 fail2ban.actions: WARNING [ssh] Ban 89.171.125.198 2009-10-26 21:19:17,889 fail2ban.actions: WARNING [ssh] Ban 210.181.96.27 2009-10-28 17:14:32,199 fail2ban.actions: WARNING [ssh] Ban 202.107.209.33 2009-10-30 12:18:49,389 fail2ban.actions: WARNING [ssh] Ban 210.110.181.56 2009-10-30 14:59:54,429 fail2ban.actions: WARNING [ssh] Ban 125.206.243.126 2009-10-31 07:00:02,499 fail2ban.actions: WARNING [ssh] Ban 61.189.16.37 2009-10-31 10:28:25,539 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184 2009-10-31 22:23:25,590 fail2ban.actions: WARNING [ssh] Ban 110.172.24.28 2009-11-01 05:30:23,639 fail2ban.actions: WARNING [ssh] Ban 202.70.83.100 2009-11-01 10:38:04,129 fail2ban.actions: WARNING [ssh] Ban 210.110.181.56 2009-11-03 17:51:51,289 fail2ban.actions: WARNING [ssh] Ban 121.14.38.200 2009-11-05 03:59:41,419 fail2ban.actions: WARNING [ssh] Ban 174.143.170.13 2009-11-06 07:38:13,519 fail2ban.actions: WARNING [ssh] Ban 74.205.222.26 2009-11-06 09:01:20,583 fail2ban.actions: WARNING [ssh] Ban 124.254.14.153 2009-11-07 09:50:34,689 fail2ban.actions: WARNING [ssh] Ban 87.118.90.17 2009-11-07 20:56:51,779 fail2ban.actions: WARNING [ssh] Ban 209.12.229.206 2009-11-08 21:58:55,190 fail2ban.actions: WARNING [ssh] Ban 72.55.143.45 2009-11-10 09:22:31,309 fail2ban.actions: WARNING [ssh] Ban 121.96.25.101 2009-11-12 08:23:42,439 fail2ban.actions: WARNING [ssh] Ban 78.32.130.35 2009-11-12 10:28:31,480 fail2ban.actions: WARNING [ssh] Ban 222.74.228.158 2009-11-12 19:13:48,539 fail2ban.actions: WARNING [ssh] Ban 67.225.232.40 2009-11-13 13:04:27,619 fail2ban.actions: WARNING [ssh] Ban 119.161.145.162 2009-11-14 05:45:33,690 fail2ban.actions: WARNING [ssh] Ban 210.192.123.204 2009-11-14 23:22:29,769 fail2ban.actions: WARNING [ssh] Ban 124.124.105.235 2009-11-16 03:23:52,249 fail2ban.actions: WARNING [ssh] Ban 58.218.250.111 2009-11-16 04:25:32,299 fail2ban.actions: WARNING [ssh] Ban 67.63.160.133 2009-11-16 23:48:03,369 fail2ban.actions: WARNING [ssh] Ban 202.73.10.176 2009-11-17 08:17:49,419 fail2ban.actions: WARNING [ssh] Ban 63.247.65.146 2009-11-21 06:36:19,900 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-11-22 12:18:36,329 fail2ban.actions: WARNING [ssh] Ban 123.129.212.212 2009-11-22 12:29:21,369 fail2ban.actions: WARNING [ssh] Ban 113.105.0.205 2009-11-22 12:47:04,410 fail2ban.actions: WARNING [ssh] Ban 219.117.253.94 2009-11-22 19:07:10,750 fail2ban.actions: WARNING [ssh] Ban 95.158.128.18 2009-11-23 04:18:06,799 fail2ban.actions: WARNING [ssh] Ban 125.248.158.236 2009-11-23 07:01:50,489 fail2ban.actions: WARNING [ssh] Ban 91.211.117.51 2009-11-23 17:22:21,559 fail2ban.actions: WARNING [ssh] Ban 211.99.150.154 2009-11-24 14:10:56,679 fail2ban.actions: WARNING [ssh] Ban 219.117.221.234 2009-11-24 18:17:00,729 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114 2009-11-25 10:29:50,590 fail2ban.actions: WARNING [ssh] Ban 173.45.92.122 2009-11-25 22:42:42,659 fail2ban.actions: WARNING [ssh] Ban 38.101.67.253 2009-11-26 02:55:26,719 fail2ban.actions: WARNING [ssh] Ban 202.54.54.234 2009-11-27 07:52:13,889 fail2ban.actions: WARNING [ssh] Ban 83.41.203.67 2009-11-27 09:53:04,929 fail2ban.actions: WARNING [ssh] Ban 118.212.129.145 2009-11-27 23:12:00,790 fail2ban.actions: WARNING [ssh] Ban 78.110.167.178 2009-11-28 04:28:26,839 fail2ban.actions: WARNING [ssh] Ban 202.104.148.229 2009-11-29 09:34:55,619 fail2ban.actions: WARNING [ssh] Ban 75.127.173.222 2009-11-30 07:16:06,790 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-12-03 05:08:01,162 fail2ban.actions: WARNING [ssh] Ban 210.48.153.214 2009-12-04 04:42:49,252 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114 2009-12-04 17:56:42,342 fail2ban.actions: WARNING [ssh] Ban 201.0.145.106 2009-12-05 11:35:18,432 fail2ban.actions: WARNING [ssh] Ban 83.83.106.128 2009-12-06 06:23:28,870 fail2ban.actions: WARNING [ssh] Ban 203.94.1.23 2009-12-07 00:48:35,190 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-12-08 22:59:35,280 fail2ban.actions: WARNING [ssh] Ban 121.10.141.118 2009-12-10 03:29:02,420 fail2ban.actions: WARNING [ssh] Ban 210.0.144.109 2009-12-11 21:37:14,490 fail2ban.actions: WARNING [ssh] Ban 218.206.243.243 2009-12-12 00:11:46,530 fail2ban.actions: WARNING [ssh] Ban 78.111.99.186 2009-12-12 02:03:41,570 fail2ban.actions: WARNING [ssh] Ban 78.111.99.186 2009-12-12 08:26:37,610 fail2ban.actions: WARNING [ssh] Ban 187.45.205.140 2009-12-12 10:26:32,660 fail2ban.actions: WARNING [ssh] Ban 148.235.76.114 2009-12-12 13:16:51,700 fail2ban.actions: WARNING [ssh] Ban 219.148.111.179 2009-12-12 15:00:02,740 fail2ban.actions: WARNING [ssh] Ban 212.30.22.69 2009-12-13 08:27:25,780 fail2ban.actions: WARNING [ssh] Ban 58.211.168.252 2009-12-13 14:27:42,850 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181 2009-12-14 04:42:02,920 fail2ban.actions: WARNING [ssh] Ban 74.205.222.27 2009-12-14 14:10:39,960 fail2ban.actions: WARNING [ssh] Ban 221.122.41.60 2009-12-14 16:44:37,000 fail2ban.actions: WARNING [ssh] Ban 201.0.210.186 2009-12-15 08:09:33,070 fail2ban.actions: WARNING [ssh] Ban 202.69.103.98 2009-12-15 16:45:51,110 fail2ban.actions: WARNING [ssh] Ban 221.122.41.60 2009-12-16 17:34:06,180 fail2ban.actions: WARNING [ssh] Ban 202.95.230.4 2009-12-17 09:08:59,230 fail2ban.actions: WARNING [ssh] Ban 201.238.235.11 2009-12-17 15:18:55,280 fail2ban.actions: WARNING [ssh] Ban 121.207.251.81 2009-12-17 16:51:06,320 fail2ban.actions: WARNING [ssh] Ban 195.149.118.43 2009-12-20 09:45:10,750 fail2ban.actions: WARNING [ssh] Ban 62.181.56.206 2009-12-20 15:30:20,792 fail2ban.actions: WARNING [ssh] Ban 124.127.117.20 2009-12-21 08:08:01,850 fail2ban.actions: WARNING [ssh] Ban 208.70.160.43 2009-12-22 13:23:48,920 fail2ban.actions: WARNING [ssh] Ban 196.15.143.106 2009-12-24 23:13:51,130 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102 2009-12-25 02:06:26,180 fail2ban.actions: WARNING [ssh] Ban 124.127.117.20 2009-12-25 04:36:57,220 fail2ban.actions: WARNING [ssh] Ban 122.160.65.107 2009-12-25 09:57:32,270 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114 2009-12-25 16:01:32,330 fail2ban.actions: WARNING [ssh] Ban 81.236.152.229 2009-12-25 20:33:16,390 fail2ban.actions: WARNING [ssh] Ban 59.108.230.130 2009-12-27 00:43:14,470 fail2ban.actions: WARNING [ssh] Ban 117.135.138.183 2009-12-27 14:11:23,840 fail2ban.actions: WARNING [ssh] Ban 59.46.39.204 2009-12-27 15:51:28,920 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102 2009-12-27 18:51:41,960 fail2ban.actions: WARNING [ssh] Ban 118.98.163.214 2009-12-27 22:00:33,010 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102 2009-12-28 00:03:07,070 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120 2009-12-29 05:56:58,230 fail2ban.actions: WARNING [ssh] Ban 195.189.140.82 2009-12-30 05:23:09,290 fail2ban.actions: WARNING [ssh] Ban 96.57.49.213 2009-12-30 12:29:49,360 fail2ban.actions: WARNING [ssh] Ban 200.169.98.50 2010-01-03 07:24:36,982 fail2ban.actions: WARNING [ssh] Ban 72.252.249.10 2010-01-04 04:31:14,050 fail2ban.actions: WARNING [ssh] Ban 222.124.195.2 2010-01-04 14:09:37,100 fail2ban.actions: WARNING [ssh] Ban 174.142.32.175 2010-01-05 16:54:06,150 fail2ban.actions: WARNING [ssh] Ban 201.38.138.2 2010-01-06 15:10:48,210 fail2ban.actions: WARNING [ssh] Ban 123.129.202.199 2010-01-07 03:20:17,270 fail2ban.actions: WARNING [ssh] Ban 89.140.94.122 2010-01-07 06:16:27,310 fail2ban.actions: WARNING [ssh] Ban 222.45.235.74 2010-01-08 21:30:04,440 fail2ban.actions: WARNING [ssh] Ban 60.212.42.11 2010-01-09 07:05:34,480 fail2ban.actions: WARNING [ssh] Ban 93.180.91.254 2010-01-09 08:21:17,520 fail2ban.actions: WARNING [ssh] Ban 222.73.68.164 2010-01-11 23:49:38,910 fail2ban.actions: WARNING [ssh] Ban 84.38.18.74 2010-01-12 07:08:27,950 fail2ban.actions: WARNING [ssh] Ban 58.22.102.169 2010-01-13 12:36:45,020 fail2ban.actions: WARNING [ssh] Ban 63.208.120.229 2010-01-15 08:22:30,220 fail2ban.actions: WARNING [ssh] Ban 119.161.144.182 2010-01-15 11:51:12,260 fail2ban.actions: WARNING [ssh] Ban 61.82.144.2 2010-01-15 19:21:04,340 fail2ban.actions: WARNING [ssh] Ban 62.101.89.125 2010-01-16 05:19:15,380 fail2ban.actions: WARNING [ssh] Ban 189.114.59.200 2010-01-16 22:46:29,450 fail2ban.actions: WARNING [ssh] Ban 222.73.68.164 2010-01-17 06:28:36,490 fail2ban.actions: WARNING [ssh] Ban 218.241.173.35 2010-01-17 15:13:26,110 fail2ban.actions: WARNING [ssh] Ban 203.240.201.98 2010-01-18 10:19:51,190 fail2ban.actions: WARNING [ssh] Ban 222.208.183.21 2010-01-19 06:55:38,270 fail2ban.actions: WARNING [ssh] Ban 212.13.197.42 2010-01-19 09:14:51,340 fail2ban.actions: WARNING [ssh] Ban 190.81.104.28 2010-01-19 10:21:33,390 fail2ban.actions: WARNING [ssh] Ban 59.37.54.48 2010-01-22 02:15:50,540 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181 2010-01-22 21:30:19,662 fail2ban.actions: WARNING [ssh] Ban 81.10.208.178 2010-01-23 00:58:29,702 fail2ban.actions: WARNING [ssh] Ban 213.154.72.72 2010-01-23 03:52:43,742 fail2ban.actions: WARNING [ssh] Ban 77.92.148.23 2010-01-23 06:21:06,782 fail2ban.actions: WARNING [ssh] Ban 189.1.164.92 2010-01-23 14:13:19,822 fail2ban.actions: WARNING [ssh] Ban 59.108.53.212 2010-01-23 14:35:03,862 fail2ban.actions: WARNING [ssh] Ban 60.28.183.156 2010-01-24 05:49:56,932 fail2ban.actions: WARNING [ssh] Ban 60.217.32.137 2010-01-24 10:16:58,352 fail2ban.actions: WARNING [ssh] Ban 75.141.200.176 2010-01-24 11:33:19,392 fail2ban.actions: WARNING [ssh] Ban 119.6.126.2 2010-01-24 17:31:13,442 fail2ban.actions: WARNING [ssh] Ban 140.128.101.230 2010-01-25 07:03:13,492 fail2ban.actions: WARNING [ssh] Ban 210.175.111.28 2010-01-25 15:33:13,562 fail2ban.actions: WARNING [ssh] Ban 58.19.182.194 2010-01-26 20:07:46,702 fail2ban.actions: WARNING [ssh] Ban 124.30.230.147 2010-01-27 16:22:59,812 fail2ban.actions: WARNING [ssh] Ban 222.195.137.249 2010-01-28 01:56:26,862 fail2ban.actions: WARNING [ssh] Ban 125.210.34.228 2010-01-28 23:00:18,942 fail2ban.actions: WARNING [ssh] Ban 218.106.96.230 2010-01-31 05:46:58,522 fail2ban.actions: WARNING [ssh] Ban 84.235.124.106 2010-02-01 23:58:00,332 fail2ban.actions: WARNING [ssh] Ban 220.227.125.100 2010-02-02 13:05:46,423 fail2ban.actions: WARNING [ssh] Ban 219.153.34.206 2010-02-03 15:00:05,513 fail2ban.actions: WARNING [ssh] Ban 119.93.16.36 2010-02-05 02:46:58,261 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2010-02-07 04:34:23,998 fail2ban.actions: WARNING [ssh] Ban 121.37.58.49 2010-02-07 06:29:54,038 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43 2010-02-07 06:38:07,398 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43 2010-02-07 22:15:53,889 fail2ban.actions: WARNING [ssh] Ban 84.235.124.106 2010-02-08 06:07:42,929 fail2ban.actions: WARNING [ssh] Ban 111.73.45.211 2010-02-08 09:47:12,989 fail2ban.actions: WARNING [ssh] Ban 124.74.243.79 2010-02-08 18:52:28,039 fail2ban.actions: WARNING [ssh] Ban 222.124.195.2 2010-02-09 04:50:38,079 fail2ban.actions: WARNING [ssh] Ban 124.207.40.151 2010-02-10 04:13:38,149 fail2ban.actions: WARNING [ssh] Ban 221.195.68.74 2010-02-10 09:54:07,209 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43 2010-02-10 14:55:55,259 fail2ban.actions: WARNING [ssh] Ban 98.117.120.78 2010-02-11 02:35:12,319 fail2ban.actions: WARNING [ssh] Ban 218.3.88.114 2010-02-11 08:59:15,361 fail2ban.actions: WARNING [ssh] Ban 58.216.152.134 2010-02-11 18:45:17,407 fail2ban.actions: WARNING [ssh] Ban 121.34.248.1 2010-02-11 21:37:00,447 fail2ban.actions: WARNING [ssh] Ban 193.192.238.10 2010-02-11 23:13:16,487 fail2ban.actions: WARNING [ssh] Ban 122.129.241.73 2010-02-12 03:25:44,537 fail2ban.actions: WARNING [ssh] Ban 220.90.134.2 2010-02-13 16:45:00,627 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181
Who is at risk from this hacking activity? Service providers have the most direct exposure and should think long and hard about their perimeter defenses. Weak passwords on any WAN-facing service are an open invite to compromise. The most diligently patched, up to date system will get taken down in an instant on bad password security (as in this example), though in that case the intruder probably won’t be able to gain root. Risk analysis used to be predicated upon the dollar value of data on the host – e.g., Ann’s knitting store site merited less intrusion protection than a large merchant site server or a banking web application. In the new threat environment where every shell compromise might well be one hop away from a national security breach, can system administrators continue to be so lax?
Resources
Wired: Threat Level – Google Attack Details
SecurityFocus Infocus: Responding to a Brute Force SSH Attack