Detection with the help of SSH hostkeys

SSH account probes are normally originate from hacked systems which have been compromised the same way. That's why we mostly identify UNIX or Linux systems with active SSH service as the attacking system. Some projects collect the IP addresses of attacking systems to identify them before they are able to do harm (e.g. DenyH0st [3]). Instead of using IP addresses, one could use the hostkeys of attacking hosts to identify them. There are several advantages:

Several methods of detection were evaluated using 12858 attacks against SSH honeypots between Februar 15 and November 15, 2012. The results were first published in the proceedings of the 20. DFN Workshop in Hamburg [4] and at the Frühjahrsfachgespräche of the German UNIX User Group (GUUG) in Frankfurt [5]. Further analysis has been presented at the 6th Secure Linux Administration Conference (SLAC) in Berlin [7] (e.g. the mystery of the ubiquitous hostkeys). All in all, the data shows a slightly higher detection rate using SSH hostkeys instead of source IP addresses.

We invite interested system administrators to verify our results. The following table holds the hostkeys of all attacking systems seen in the last two, four, or eight weeks. The lists are created each day. The data is recorded by SSH honeypots and can be used with our without the timestamp of the last seen attack.

  2 weeks 4 weeks 8 weeks
hostkey fingerprints fp-2w.txt fp-4w.txt fp-8w.txt
hostkey fingerprints with timestamps fp-ts-2w.txt fp-ts-4w.txt fp-ts-8w.txt

The process of data collection is automated and was thoroughly tested. Nevertheless, errors are still possible and we cannot guarantee the correctness of the data. Specifically, the data might contain false positives: legitimate systems on the black list.

The lists can be used in several ways. E.g. a script could parse the logfile of the SSH server. When a user tries to logon, the hostkey of the source IP is determined. This can be done with the tool nmap:

nmap -PN -n --script=ssh-hostkey -p 22 <IP-von-der-Login-erfolgte>
The hostkey can now be checked against the above lists. If it matches, an alert should be generated. Please give us feedback if you are using the lists in this or any other way.