SSH hacking. Amazed at the amount of ssh hackers. Its common to get people to try to hack you root account. THe internet is an amazing thing allowing us to learn a vast amount of information and content. It also is the biggest distraction ever made with youtube, chat rooms and general blackholes. And the internet allows us to hack the hell out of each other. A internet connected device will constantly get hacked, almost no matter what IP address you have!!

You will constantly see it in the logs. You see ‘Failed password for root from 103.152.242.19 port 40834 ssh2’ entries. This happens on every host. It happens on hosts that have little valuable information. I found this information on a persons cloud host they use to host a personal site. . . nothing worth of value at ALL, yet it gets hacked all the time.

What else?

The hackers use other names that are common in software found on systems, like admin, test, and other common names. And they do this

24 hours a day, every day of the week, never ending. You can block them with ip address blocking, IP geo blocking, or simply don’t let anyone connect except valid users.

How? You can only allow certain IP addresses to connect to your host. Only allow the vendor or your own IP into the server. A great method.

How else? You can limit when people connect and WHO can connect, as well.

Do prevent anyone on the internet to connect, you can limit the time that connections are allowed. This is similiar to a ‘time lock’ on a bank safe.

A time lock prevents anyone from trying to get into the safe, except during business hours.

Same concept as a time-lock, you can restrict when you allow connections to your machine at all.

Use a ‘just in time’ authentication method to only allow your host to be connected to the device, when you need it.

On Microsoft Azure, look up ‘just in time’ authentication for this service.

Here is some data I found in the auth.log file. This file shows valid and invalid connection attempts. I sorted this file using several unix commands. It was found with unix commands looking at auth.log file. Cmd was as follows:

grep ‘invalid user’ auth.log.1 | awk ‘{print $13}’ | sort -n -r | uniq -c > out19_cc.txt”

Here is the attack data. In little less than a week (six day), some statistics on this host:

20 seconds. The host was hacked about every 20 seconds.

25,375 connections. A total of 25,375 connection requests in these period.

2023 different and unique ip addresses try to connect

38 tries. Each IP address tried an average of 38 times to connect (usually using different passwords)

5014 different usernames. The system was given 5014 different, invalid usernames.

2663 usernames were used more than once.

738 usernames were used more than ten (10) times. The list of those usernames (not including ROOT) are below that tried to SSH to this machine:

Two columns. First, the number of times using that username. Next column, is the username attempted.

10 zb

10 yw

10 yo

10 wx

10 wc

10 wb

10 vg

10 vf

10 ue

10 ts3server

10 testftp

10 te

10 students

10 storm

10 service

10 sd

10 rw

10 ru

10 ro

10 rl

10 rj

10 qt

10 qr

10 qa

10 ov

10 nginx

10 ng

10 nf

10 nexus

10 na

10 mh

10 lm

10 le

10 kv

10 ku

10 kf

10 kevin

10 kafka

10 jz

10 jt

10 jk

10 jd

10 jboss

10 iq

10 ih

10 hp

10 hl

10 fn

10 ez

10 et

10 ek

10 ei

10 dw

10 da

10 cy

10 cr

10 cl

10 chris

10 cg

10 ce

10 br

10 aw

11 zu

11 zg

11 zc

11 ys

11 ye

11 yc

11 xx

11 xm

11 xi

11 xc

11 wpyan

11 wj

11 vt

11 vk

11 vh

11 tu

11 tc

11 sk

11 sf

11 rt

11 rq

11 qm

11 qi

11 qg

11 qd

11 px

11 pu

11 po

11 pl

11 pe

11 pb

11 ox

11 oq

11 on

11 ob

11 node

11 ly

11 lq

11 ll

11 kt

11 kh

11 jv

11 jg

11 ir

11 ia

11 hk

11 he

11 hd

11 gz

11 gmodserver

11 gk

11 gi

11 gd

11 fu

11 eu

11 er

11 ep

11 dy

11 df

11 deployer

11 cz

11 cx

11 cp

11 confluence

11 cj

11 au

11 asterisk

11 aq

11 ad

12 yy

12 yg

12 xz

12 xp

12 xh

12 xe

12 xbmc

12 xb

12 wv

12 wt

12 wd

12 vyatta

12 vy

12 vv

12 vmail

12 vm

12 vb

12 ut

12 ui

12 tz

12 tx

12 tk

12 td

12 sz

12 st

12 ss

12 sr

12 speech-dispatcher

12 rp

12 robert

12 qw

12 qv

12 qs

12 qo

12 qn

12 py

12 ps

12 ph

12 pf

12 pd

12 oj

12 oi

12 nh

12 nc

12 ls

12 lc

12 kp

12 kl

12 kj

12 ki

12 jo

12 jj

12 is

12 il

12 hv

12 hu

12 hj

12 gx

12 go

12 ey

12 ex

12 eq

12 ec2-user

12 ea

12 dx

12 dh

12 dg

12 ct

12 csgoserver

12 by

12 bn

12 aj

12 ah

12 adm

12 ab

13 zw

13 zr

13 yq

13 ym

13 xy

13 xo

13 xl

13 wr

13 ve

13 vd

13 ux

13 uv

13 tr

13 th

13 temp

13 sx

13 sv

13 sq

13 so

13 rs

13 qu

13 pz

13 pv

13 pt

13 pp

13 oo

13 og

13 oe

13 od

13 ny

13 nb

13 mv

13 mk

13 mb

13 m

13 lw

13 lu

13 kz

13 kr

13 kq

13 jx

13 jh

13 ja

13 im

13 ik

13 ie

13 hh

13 hb

13 fv

13 ft

13 fq

13 fd

13 fb

13 eb

13 dt

13 ds

13 dn

13 dl

13 dk

13 dj

13 de

13 dc

13 cpanelphpmyadmin

13 cc

13 bu

13 bo

13 bl

13 bg

13 al

13 ag

14 zy

14 zs

14 zl

14 zj

14 yh

14 xk

14 xd

14 wi

14 vi

14 uy

14 um

14 uj

14 uc

14 ty

14 tv

14 tt

14 toor

14 tn

14 stackato

14 sinusbot

14 si

14 sconsole

14 sb

14 sansforensics

14 sans

14 samurai

14 rh

14 ra

14 qj

14 qh

14 qe

14 qc

14 pyimagesearch

14 pq

14 pn

14 plexuser

14 pk

14 oy

14 ow

14 osboxes

14 osbash

14 openhabian

14 om

14 nv

14 nq

14 nexthink

14 netscreen

14 NetLinx

14 nao

14 myshake

14 my

14 mt

14 misp

14 maint

14 mailman

14 m202

14 lt

14 localadmin

14 lg

14 ld

14 la

14 kx

14 kw

14 ju

14 js

14 jr

14 if

14 id

14 hz

14 hy

14 hxeadm

14 hq

14 ho

14 hg

14 hduser

14 hacker

14 gu

14 gh

14 fw

14 fl

14 fe

14 daniel

14 cw

14 cu

14 cq

14 cirros

14 bi

14 bb

14 ax

14 as

15 zi

15 yl

15 xv

15 wy

15 wk

15 wf

15 vs

15 vo

15 ts3bot

15 sl

15 se

15 rz

15 redmine

15 ql

15 qk

15 pc

15 ou

15 of

15 oc

15 nt

15 mr

15 michael

15 mg

15 ma

15 lx

15 lb

15 ks

15 kc

15 ka

15 jw

15 iy

15 iw

15 informix

15 info

15 hunter

15 ht

15 hn

15 hf

15 gn

15 ethos

15 eh

15 ed

15 dz

15 dr

15 do

15 device

15 dd

15 david

15 cloudera

15 ch

15 bw

15 bs

15 bj

15 ay

15 ao

15 ac

15 aa

16 zp

16 ze

16 za

16 yt

16 yd

16 xa

16 ww

16 wg

16 vx

16 vq

16 vps

16 vl

16 va

16 uu

16 uploader

16 uk

16 uf

16 tm

16 tg

16 ta

16 sh

16 sg

16 s

16 ry

16 rk

16 rg

16 re

16 q

16 pm

16 or

16 nn

16 nj

16 ms

16 mo

16 mn

16 mm

16 kn

16 k

16 jf

16 hs

16 gm

16 fa

16 ec

16 docker

16 ci

16 bv

16 bf

16 be

16 ba

16 am

16 ai

17 zd

17 yx

17 yv

17 yf

17 xu

17 wl

17 wh

17 vr

17 uz

17 up

17 uh

17 ub

17 tl

17 system

17 sw

17 su

17 steam

17 solr

17 sc

17 rf

17 qx

17 ok

17 oh

17 no

17 nl

17 nk

17 mi

17 me

17 jb

17 j

17 gl

17 gb

17 el

17 ef

17 dp

17 cs

17 cm

17 cd

17 cb

17 ca

17 c

17 bt

17 bm

17 ak

18 zx

18 yj

18 wu

18 we

18 vw

18 vu

18 vc

18 v

18 uw

18 un

18 ti

18 tf

18 telecomadmin

18 rx

18 rv

18 qy

18 qf

18 qb

18 pa

18 oz

18 os

18 nx

18 nw

18 mx

18 mu

18 lo

18 lj

18 ko

18 km

18 ii

18 hr

18 gitlab-runner

18 fy

18 ftp

18 es

18 eo

18 contador

18 bd

19 zk

19 zf

19 yb

19 y

19 xf

19 ws

19 uq

19 to

19 teste

19 redhat

19 r

19 prueba

19 leo

19 jq

19 jm

19 ix

19 iv

19 ic

19 gw

19 fk

19 fh

19 ff

19 ew

20 zv

20 zq

20 xt

20 xg

20 wq

20 wp

20 us

20 ri

20 redis

20 profile1

20 pj

20 p

20 MikroTik

20 jp

20 jn

20 fr

20 fj

20 en

20 em

20 d

20 cisco

20 bx

21 ya

21 x

21 testing

21 qp

21 o

21 n

21 mp

21 minecraft

21 lk

21 li

21 kb

21 f

21 e

21 dq

21 developer

21 bq

21 bp

21 an

21 a

22 yn

22 yi

22 vnc

22 vn

22 vj

22 user3

22 stack

22 rd

22 rb

22 md

22 ip

22 gv

22 g

22 eg

22 bk

22 at

22 alex

23 yp

23 upload

23 ul

23 t

23 sm

23 rm

23 operator

23 oa

23 mw

23 mq

23 ml

23 iz

23 gq

23 gp

23 fc

23 ck

23 centos

23 bh

23 b

24 web1

24 wa

24 w

24 user01

24 tom

24 tech

24 rabbitmq

24 mc

24 h

24 ej

24 cv

24 ar

24 ap

24 admin1

25 z

25 uftp

25 tester

25 pr

25 john

26 user2

26 u

26 apache

27 svn

27 rr

27 public

27 ga

27 du

27 cssserver

28 user0

29 ts

29 teamspeak3

29 l

29 elastic

29 db2inst1

29 Administrator

30 xn

30 ftptest

31 webadmin

31 ftpadmin

31 elasticsearch

33 testuser

34 zabbix

34 vagrant

35 odoo

35 i

35 db

37 webmaster

39 dev

40 spark

41 weblogic

41 jira

44 web

48 tomcat

48 teamspeak

49 student

50 default

52 ts3

52 server

56 www

57 mysql

60 demo

67 jenkins

69 administrator

72 nagios

85 user1

85 support

85 debian

93 ubnt

100 pi

106 hadoop

110 guest

114 deploy

143 test2

144 for

156 usuario

164 git

172 test1

231 ftpuser

424 oracle

700 postgres

725 ubuntu

852 user

938 test

1276 admin