SSH Authentication Attempt Analysis

Background

The purpose of this activity was to expose a virtual machine to global password authentication attempts to analyse patterns with regard to source machine IP location, attack frequency, and usernames attempted. An Oracle-Linux (7.9) virtual machine instance was temporarily provisioned, the ssh_d configuration altered to enable password authentication, and the security list updated to allow all TCP traffic from all IPs on port 22. Over a period of approximately 4 weeks, there were over 350K failed SSH authentication attempts.

The source IP address location and Internet Serivce Provider data was collected from whatismyipaddress.com with the below webscraping python script. 

import csv
import time
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.chrome.options import Options

options = Options()
options.add_argument('--ignore-certificate-errors')
options.add_argument('--ignore-ssl-errors')
options.add_experimental_option('excludeSwitches', ['enable-logging'])

#open the target data csv file for recording IP details
f = open('sshAttemptData.csv', 'w', encoding='UTF8', newline='')
writer = csv.writer(f)
browser=webdriver.Chrome(chrome_options=options)

#open and iterate through the source data csv file
with open('top100IPs.csv', newline='') as csvfile:
	csvreader = csv.reader(csvfile, delimiter=' ', quotechar='|')
	rows = list(csvreader)
	count = 1
	for row in rows:
		url = 'https://whatismyipaddress.com/ip/' + row[0]
		#navigate to the url for the specified IP
		browser.get(url)
		time.sleep(1)
		#collect relevant data about the IP
		elements = browser.find_elements(By.CLASS_NAME, "information")
		datarow = []
		for i in elements:
			st = i.text
			data = (st.split(':')[1]).lstrip()
			datarow.append(data)
		print("Site num: " + str(count))
		for item in datarow:
			print(item)
		#write IP data to output csv
		count = count + 1
		writer.writerow(datarow)
#close the target data csv file for recording IP details
f.close()

Results

From June 5th through July 4th of 2022, a test virtual machine instance running on Oracle Cloud Infrastructure accepted SSH authentication attempts from any IP on the internet for any linux username. A total of 353,033 failed authentication attempts were logged from 5,495 unique IP Addresses. A total of 27,436 unique usernames were attempted with 56% of all attempts for the 'root' user. The next most commonly attempted usernames were 'admin', 'test', 'user', 'ubuntu', and 'oracle'. The majority of the usernames attempted are other common usernames and default account names.

52 IPs from China accounted for 184,331 attempts or about 52% of all attempts. There are 35 IPs within the range of 61.177.172.108 to 61.177.173.62 which all appear to be emanating from a data center in Lianyungang China with a listed Internet Service Provider of the ChinaNet Jiangsu Province Network. These IP addresses are all publicly listed in multiple forums as high risk IPs known to execute ssh, web, and mail attacks on target services. These IP addresses almost exclusively attempted to gain 'root' access to the target machine. As the openSSH Daemon on the target machine was not altered, there are not logs of the credentials from the authentication attempts. Presumably, the IPs in this range are responsible for a portion of a password list and they continually attempt to access various publicly accessible compute instances.

ChinaNet is part of China Telecom, a government owned and operated entity. The Federal Communications Commission has listed China Telecom as a National Security threat.

The full csv with all attempts can be downloaded here .

Top 100 IP Addresses By Authentication Attempts

IP Address SSH Attempts ISP Country City Latitude Longitude
0 49.88.112.72 24443 ChinaNet Jiangsu Province Network China Nanjing 32.061668 118.777779
1 104.244.76.203 14650 BuyVM Luxembourg Luxembourg 49.611671 6.130000
2 49.88.112.73 13264 ChinaNet Jiangsu Province Network China Nanjing 32.061668 118.777779
3 219.138.76.105 7890 ChinaNet Hubei Province Network China Shiyan 32.566669 110.783333
4 45.85.147.174 7704 TT1 Datacenter UG (haftungsbeschraenkt) United States Los Angeles 34.052860 -118.243568
5 176.57.150.175 7699 Ociris GmbH Germany Munich 48.137428 11.575490
6 43.154.1.12 5910 Aceville Pte.Ltd. Hong Kong Hong Kong 22.285521 114.157692
7 14.21.88.127 4775 ChinaNet Guangdong Province Network China Qingyuan 23.700001 113.033333
8 62.171.186.8 3851 Contabo GmbH Germany Munich 48.137428 11.575490
9 49.88.112.118 3531 ChinaNet Jiangsu Province Network China Nanjing 32.061668 118.777779
10 61.177.172.98 3465 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
11 61.177.173.50 3088 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
12 49.88.112.68 3056 ChinaNet Jiangsu Province Network China Nanjing 32.061668 118.777779
13 61.177.173.36 3015 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
14 61.177.172.108 3007 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
15 167.250.76.161 3000 IQCloud SA de CV Mexico Juarez 25.650000 -100.083328
16 61.177.173.49 2637 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
17 61.177.173.47 2534 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
18 61.177.172.19 2521 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
19 45.232.176.3 2514 Makronet Consulting Tecnologia e Informatica Limitada Chile Santiago -33.426281 -70.566559
20 61.177.172.114 2510 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
21 61.177.173.39 2400 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
22 36.110.228.254 2367 ChinaNet Zhejiang Province Network China Hangzhou 30.293650 120.161423
23 61.177.173.53 2360 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
24 61.177.173.46 2356 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
25 61.177.173.35 2309 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
26 61.177.173.51 2285 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
27 122.228.116.116 2247 ChinaNet Zhejiang Province Network China Wenzhou 27.999420 120.666817
28 61.177.172.124 2180 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
29 49.88.112.117 2157 ChinaNet Jiangsu Province Network China Nanjing 32.061668 118.777779
30 61.177.173.48 2106 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
31 61.177.173.52 2030 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
32 218.92.0.221 1904 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
33 124.221.246.180 1887 Tencent Cloud Computing (Beijing) Co. Ltd. China Beijing 39.907501 116.397232
34 31.184.198.71 1612 Petersburg Internet Network Ltd. Russian Federation Saint Petersburg 59.894440 30.264170
35 61.177.172.76 1374 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
36 61.177.173.54 1358 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
37 106.13.19.59 1282 Beijing Baidu Netcom Science and Technology Co. Ltd. China Beijing 39.907501 116.397232
38 61.177.172.160 1230 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
39 61.177.172.174 1189 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
40 61.177.173.55 1186 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
41 61.177.173.40 1170 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
42 61.177.172.61 1142 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
43 61.177.173.41 1132 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
44 139.59.233.134 1070 DigitalOcean LLC Singapore Singapore 1.289670 103.850067
45 61.177.173.44 1017 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
46 61.177.173.56 964 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
47 61.177.173.61 930 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
48 209.141.51.29 869 Frantech Solutions United States Las Vegas 36.174969 -115.137222
49 179.60.147.74 785 Veraton Projects Ltd. Venezuela (Bolivarian Republic of) Caracas 10.488010 -66.879189
50 61.177.172.87 741 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
51 92.255.85.70 693 Chang Way Technologies Co. Limited Russian Federation Saint Petersburg 59.894440 30.264170
52 61.177.172.91 690 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
53 92.255.85.69 665 Chang Way Technologies Co. Limited Russian Federation Saint Petersburg 59.894440 30.264170
54 206.189.34.181 549 DigitalOcean LLC Singapore Singapore 1.289670 103.850067
55 121.5.229.47 544 Tencent Cloud Computing (Beijing) Co. Ltd. China Beijing 39.907501 116.397232
56 112.29.139.34 531 China Mobile Communications Corporation China Chuzhou 32.321941 118.297783
57 165.22.99.251 504 DigitalOcean LLC Singapore Singapore 1.289670 103.850067
58 152.89.198.17 490 Telefonica LLC Russian Federation Moscow 55.752220 37.615559
59 101.36.177.222 487 Beijing Zhonglianlixin Technology Co. Ltd. China Beijing 39.907501 116.397232
60 193.106.191.80 447 Kanzas LLC Russian Federation Moscow 55.752220 37.615559
61 121.62.22.124 404 ChinaNet Hubei Province Network China Shiyan 32.566669 110.783333
62 162.215.222.200 387 Unified Layer United States Provo 40.213909 -111.634071
63 61.177.173.42 377 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
64 61.177.173.43 361 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
65 222.186.42.99 321 ChinaNet Jiangsu Province Network China Zhenjiang 32.209171 119.434174
66 104.236.122.193 315 DigitalOcean LLC United States Clifton 40.858429 -74.163757
67 92.255.85.199 253 Chang Way Technologies Co. Limited Russian Federation Saint Petersburg 59.894440 30.264170
68 193.106.191.150 232 Kanzas LLC Russian Federation Moscow 55.752220 37.615559
69 190.153.222.250 220 GTD Internet S.A. Chile Santiago -33.426281 -70.566559
70 190.146.13.180 209 Telmex Colombia S.A. Colombia Cota 4.809380 -74.098000
71 20.237.195.48 204 Microsoft Corporation United States San Francisco 37.774929 -122.419418
72 139.59.21.115 199 DigitalOcean LLC India Bengaluru 12.976230 77.603287
73 64.227.120.10 197 DigitalOcean LLC Germany Frankfurt am Main 50.110882 8.681996
74 61.177.172.59 193 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
75 188.219.220.114 181 Vodafone Italia S.p.A. Italy Ivrea 45.458061 7.871920
76 164.68.100.59 180 Contabo GmbH Germany Munich 48.137428 11.575490
77 70.160.93.216 178 Cox Communications LLC United States Norfolk 36.846809 -76.285217
78 193.106.191.92 171 Kanzas LLC Russian Federation Moscow 55.752220 37.615559
79 162.243.172.239 169 DigitalOcean LLC United States North Bergen 40.804272 -74.012077
80 24.245.227.211 168 Westman Communications Group Canada Brandon 49.835861 -99.964622
81 61.177.173.62 168 ChinaNet Jiangsu Province Network China Lianyungang 34.599998 119.166664
82 103.92.101.115 159 Lalitha Enterprises India Bengaluru 12.976230 77.603287
83 196.223.151.194 159 Insist Net Limited Gambia Banjul 13.452740 -16.578030
84 67.205.145.120 159 DigitalOcean LLC United States North Bergen 40.804272 -74.012077
85 77.158.71.118 159 Societe Francaise Du Radiotelephone - SFR SA France Paris 48.858364 2.294532
86 180.76.135.84 155 Beijing Baidu Netcom Science and Technology Co. Ltd. China Beijing 39.907501 116.397232
87 120.48.19.210 150 Beijing Baidu Netcom Science and Technology Co. Ltd. China Beijing 39.907501 116.397232
88 60.241.81.42 150 TPG Internet Pty Ltd. Australia Ryde -33.816669 151.100006
89 157.52.184.32 149 Root Networks United States Los Angeles 34.060734 -118.239738
90 161.18.251.118 149 Colombia Telecomunicaciones S.A. ESP Colombia Bogota 4.609710 -74.081749
91 147.182.188.81 148 DigitalOcean LLC United States North Bergen 40.804272 -74.012077
92 184.168.126.75 145 GoDaddy.com LLC Singapore Singapore 1.289670 103.850067
93 40.68.196.183 141 Microsoft Corporation Netherlands Amsterdam 52.378502 4.899980
94 104.131.12.184 140 DigitalOcean LLC United States Clifton 40.858429 -74.163757
95 128.199.152.204 140 DigitalOcean LLC Singapore Singapore 1.289670 103.850067
96 137.184.130.78 140 DigitalOcean LLC United States North Bergen 40.804272 -74.012077
97 187.102.174.154 140 Mundivox Do Brasil Ltda Brazil Rio de Janeiro -22.906759 -43.172962
98 211.218.245.66 140 KT Corporation Korea (Republic of) Seoul 37.566311 126.977943
99 167.99.0.166 139 DigitalOcean LLC United States North Bergen 40.804272 -74.012077

Top 100 Usernames By Authentication Attempts

Username Attempts
0 root 201174
1 admin 12007
2 test 3159
3 user 2519
4 ubuntu 1962
5 oracle 1588
6 postgres 1331
7 ftpuser 1213
8 guest 1059
9 git 1017
10 mysql 841
11 deploy 737
12 support 714
13 minecraft 676
14 jenkins 637
15 test1 569
16 apache 492
17 usuario 468
18 test2 459
19 testuser 408
20 server 395
21 Debian 384
22 user2 382
23 teamspeak 381
24 demo 358
25 nagios 351
26 steam 350
27 user1 350
28 web 349
29 centos 341
30 pi 340
31 master 331
32 administrator 330
33 ubnt 329
34 backup 323
35 odoo 322
36 student 311
37 vbox 299
38 es 298
39 prueba 289
40 app 288
41 developer 285
42 ts 274
43 www 271
44 system 269
45 ts3 269
46 mc 260
47 dev 253
48 hadoop 252
49 kafka 248
50 vagrant 246
51 alex 238
52 cloud 238
53 nexus 233
54 username 229
55 radio 213
56 cron 212
57 client 209
58 sinus 207
59 code 205
60 factorio 205
61 informix 205
62 remote 204
63 ark 203
64 dspace 202
65 python 199
66 gmod 196
67 matrix 194
68 nominatim 194
69 gitlab 193
70 csgo 191
71 azure 190
72 dj 189
73 django 189
74 sandbox 189
75 pterodactyl 188
76 Default 185
77 fivem 184
78 vscode 182
79 damien 175
80 sysadmin 173
81 arma 167
82 xrdp 167
83 manager 166
84 ftptest 164
85 super 150
86 www-data 145
87 ec2-user 144
88 webmaster 143
89 temp 142
90 john 140
91 teste 139
92 zabbix 139
93 111111 137
94 info 136
95 deployer 132
96 tester 132
97 sammy 129
98 sinusbot 129
99 upload 129

Conclusion

The observed attempts to gain access to the publicly facing compute instance where not particularly advanced. However, due to the distributed attacks coming from many IPs within a particular range, this suggests that a signifigant amount of infrastructure may have been dedicated to perform exclusively these activities.

To further research the nature of the attempts to gain access to the compute instance, a true SSH Honeypot may be used to identify common passwords attempted. Additionally, if the SSH Daemon is configured to run in a secure and containerized envrionment, it may be possible allow the malicious machines to gain pseudo-control of the honeypot server to better understand the intent of the malicious IPs.