SSH Attacks

When you run a UNIX based system on the internet you will see many login attempts. You will quickly find out these aren't mistakes but real attacks when you accidently connect a test system with a weak root password. Attackers are constantly trying to guess the passwords of various accounts on your systems in order to gain access

This type of attack is pretty simple, but still some questions arise. Which tools are used? How do the attackers proceed and where do they come from? And most interestingly: What will they do with my system when they get access?

The use of honeypots

Bears can be attracted using honey. Hackers can be studied using so called honeypots which pretend to be vulnerable to specific attacks. To find out more about the attackers and what they actually do, Torsten Voss and Andreas Bunten used several types of honeypots to study them.

Different types of honeypots let us extract different kind of information:

During our investigation, we quickly realised that most attacks originate on compromised systems. These results were first published on the LinuxTag 2012 in Berlin [1]. Further information can be found in an UpTimes article [2]. In most cases, the attacking systems run an SSH server themselves and can be recognised by their hostkey even when IP addresses are changed. We compared different ways to recognise attacking systems and found SSH hostkeys to be more stable than using the source IP. The statistical data was presented on the proceedings of the 20. DFN Workshop in Hamburg [4]. Further information has been presented at the Frühjahrsfachgespräche 2013 of the German UNIX User Group (GUUG) in Frankfurt [5]. A closer look at the SSH hostkeys revealed more mysteries; e.g. a few keys are present on hundreds of systems seemingly unrelated to another (Secure Linux Administration Conference (SLAC) 2013 in Berlin [8], Uptimes 3/2013 [9]).

Recording of the talk Dr Bruteforce - Oder wie ich lernte SSH-Angriffe zu lieben at SLAC 2013 in Berlin [8]

Honeypots can be used for more than investigating SSH attacks. In an article in the information security magazine KES various ways of using honeypots in commercial environment were presented [6]. Building on the SSH honeypot data, Denise Muth created an abstract modell for server compromises (20. DFN Workshop in Hamburg [5]).

We got a lot of support by hosting ARM based Low Interaction Honeypot Systems. We would like to thank Guido, Barbara, Sabine, Agnes, Josef, Eve und Christel for their help!

[1] Andreas Bunten und Torsten Voss: Wie man SSH-Angreifern mit Linux Honeypots nachstellt, Vortrag auf dem 18. Linux Tag in Berlin, Mai 2012 (local copy)

[2] Andreas Bunten und Torsten Voss: Stille Beobachter, Uptimes - Mitgliederzeitschrift der German Unix User Group, Ausgabe 2 - 2012, S. 13ff (local copy)

[3] Homepage des DenyH0st Projekt:

[4] Andreas Bunten und Torsten Voss: SSH-Honeypots und neue Schutzmaßnahmen gegen Brute Force Angriffe, im Konferenzband des 20. DFN Workshops, Februar 2013 (local copy)

[5] Denise Muth: Generischer Ablauf von Serversystemeinbrüchen - Analyse und Konzeption, 20. DFN Workshops, Februar 2013

[6] Andreas Bunten und Torsten Voss: Die Admins schlagen zurück: SSH-Angreifern mit Honeypots über die Schulter schauen, GUUG Frühjahrsfachgespräch, Februar 2013 (local copy)

[7] Andreas Bunten: Honeypots im Unternehmen, <kes> – Die Fachzeitschrift für Informations-Sicherheit, Ausgabe 2 - 2013, S. 66ff

[8] Andreas Bunten und Torsten Voss: Dr Bruteforce - Oder wie ich lernte SSH-Angriffe zu lieben, 6. Secure Linux Administration Conference (SLAC), Berlin Juni 2013 (local copy)

[9] Andreas Bunten und Torsten Voss: Winterkrimi 2013: Die rätselhaften SSH-Hostkeys, Uptimes - Mitgliederzeitschrift der German Unix User Group, Ausgabe 3 - 2013, S. 9ff (local copy)