Брутфорс SSH

Решил провести исследование, на сколько сегодня опасен брутфорс при использовании простых паролей. На пять дней в сеть интернет был выставлен тестовый SSH-сервер, с логином и паролем root. В результате, уже через три часа работы сервис был найден, просканирован с помощью перебора паролей, и осуществлён успешный вход:

May 8 00:56:17 brootforce-ssh: Accepted password for root from 116.10.191.171 port 14551 ssh2

May 8 00:56:17 brootforce-ssh: pam_unix(sshd:session): session opened for user root by (uid=0)

May 8 00:56:18 brootforce-ssh: subsystem request for sftp by user root

Фактически, если бы этот ресурс не был тестовым, он бы был скомпрометирован. Далее по "программе" бота и "настроению" взломщика.


Листинг успешных авторизаций на тестовом SSH-сервере за пять дней:

May 8 08:40:11 brootforce-ssh: Accepted password for root from 116.10.191.190 port 26727 ssh2

May 8 08:42:46 brootforce-ssh: Accepted password for root from 116.10.191.190 port 43585 ssh2

May 8 09:15:45 brootforce-ssh: Accepted password for root from 61.174.51.219 port 51273 ssh2

May 8 09:20:35 brootforce-ssh: Accepted password for root from 61.174.51.219 port 33878 ssh2

May 8 15:03:22 brootforce-ssh: Accepted password for root from 116.10.191.173 port 29660 ssh2

May 8 15:05:53 brootforce-ssh: Accepted password for root from 116.10.191.173 port 8129 ssh2

May 8 15:06:34 brootforce-ssh: Accepted password for root from 116.27.0.85 port 60026 ssh2

May 8 16:30:41 brootforce-ssh: Accepted password for root from 58.222.1.154 port 3807 ssh2

May 8 18:27:33 brootforce-ssh: Accepted password for root from 61.174.51.224 port 2604 ssh2

May 8 18:31:13 brootforce-ssh: Accepted password for root from 61.174.51.224 port 4870 ssh2

May 8 20:22:00 brootforce-ssh: Accepted password for root from 116.10.191.175 port 17176 ssh2

May 8 20:23:24 brootforce-ssh: Accepted password for root from 116.10.191.175 port 5028 ssh2

May 9 01:39:00 brootforce-ssh: Accepted password for root from 61.174.51.199 port 8960 ssh2

May 9 01:44:50 brootforce-ssh: Accepted password for root from 61.174.51.199 port 1668 ssh2

May 9 02:25:21 brootforce-ssh: Accepted password for root from 1.93.34.238 port 37325 ssh2

May 9 02:56:55 brootforce-ssh: Accepted password for root from 116.10.191.174 port 18596 ssh2

May 9 02:59:47 brootforce-ssh: Accepted password for root from 116.10.191.174 port 44819 ssh2

May 9 06:20:12 brootforce-ssh: Accepted password for root from 116.10.191.168 port 37633 ssh2

May 9 06:23:36 brootforce-ssh: Accepted password for root from 116.10.191.168 port 23437 ssh2

May 9 06:44:39 brootforce-ssh: Accepted password for root from 116.10.191.180 port 52928 ssh2

May 9 06:47:59 brootforce-ssh: Accepted password for root from 116.10.191.180 port 15986 ssh2

May 9 07:43:28 brootforce-ssh: Accepted password for root from 116.10.191.185 port 36811 ssh2

May 9 07:46:03 brootforce-ssh: Accepted password for root from 116.10.191.185 port 40684 ssh2

May 9 08:49:04 brootforce-ssh: Accepted password for root from 122.154.162.3 port 60155 ssh2

May 9 10:06:51 brootforce-ssh: Accepted password for root from 116.10.191.189 port 45622 ssh2

May 9 10:08:45 brootforce-ssh: Accepted password for root from 116.10.191.189 port 42548 ssh2

May 9 13:26:13 brootforce-ssh: Accepted password for root from 1.93.32.212 port 45143 ssh2

May 9 14:09:30 brootforce-ssh: Accepted password for root from 144.0.0.61 port 33511 ssh2

May 9 14:09:31 brootforce-ssh: Accepted password for root from 144.0.0.22 port 40688 ssh2

May 9 15:01:44 brootforce-ssh: Accepted password for root from 14.208.51.173 port 63377 ssh2

May 9 21:07:59 brootforce-ssh: Accepted password for root from 113.142.37.114 port 41598 ssh2

May 9 21:12:08 brootforce-ssh: Accepted password for root from 113.142.37.114 port 41711 ssh2

May 9 22:09:56 brootforce-ssh: Accepted password for root from 113.142.37.114 port 42244 ssh2

May 9 22:10:02 brootforce-ssh: Accepted password for root from 113.142.37.114 port 42455 ssh2

May 9 23:17:05 brootforce-ssh: Accepted password for root from 113.142.37.114 port 42763 ssh2

May 9 23:22:04 brootforce-ssh: Accepted password for root from 113.142.37.114 port 43031 ssh2

May 9 23:41:44 brootforce-ssh: Accepted password for root from 113.142.37.114 port 43438 ssh2

May 9 23:41:50 brootforce-ssh: Accepted password for root from 113.142.37.114 port 43651 ssh2

May 9 23:49:44 brootforce-ssh: Accepted password for root from 113.142.37.114 port 43969 ssh2

May 9 23:49:49 brootforce-ssh: Accepted password for root from 113.142.37.114 port 44181 ssh2

May 9 23:55:29 brootforce-ssh: Accepted password for root from 113.142.37.114 port 44494 ssh2

May 9 23:55:35 brootforce-ssh: Accepted password for root from 113.142.37.114 port 44706 ssh2

May 10 05:23:39 brootforce-ssh: Accepted password for root from 116.10.191.173 port 8906 ssh2

May 10 05:26:07 brootforce-ssh: Accepted password for root from 116.10.191.173 port 28954 ssh2

May 10 11:21:13 brootforce-ssh: Accepted password for root from 61.174.51.221 port 37871 ssh2

May 10 11:26:09 brootforce-ssh: Accepted password for root from 61.174.51.221 port 18401 ssh2

May 10 11:48:38 brootforce-ssh: Accepted password for root from 193.107.16.206 port 48706 ssh2

May 10 12:03:38 brootforce-ssh: Accepted password for root from 65.23.154.117 port 36319 ssh2

May 10 12:49:49 brootforce-ssh: Accepted password for root from 221.194.44.141 port 2990 ssh2

May 10 13:31:18 brootforce-ssh: Accepted password for root from 61.174.51.210 port 36138 ssh2

May 10 13:33:14 brootforce-ssh: Accepted password for root from 61.174.51.210 port 1382 ssh2

May 10 13:46:40 brootforce-ssh: Accepted password for root from 14.208.51.173 port 62076 ssh2

May 10 14:00:54 brootforce-ssh: Accepted password for root from 195.54.166.10 port 53030 ssh2

May 10 14:05:47 brootforce-ssh: Accepted password for root from 116.10.191.175 port 57506 ssh2

May 10 14:06:56 brootforce-ssh: Accepted password for root from 116.10.191.175 port 35224 ssh2

May 10 14:51:06 brootforce-ssh: Accepted password for root from 14.208.51.173 port 56004 ssh2

May 10 15:43:22 brootforce-ssh: Accepted password for root from 116.10.191.169 port 1670 ssh2

May 10 15:46:30 brootforce-ssh: Accepted password for root from 116.10.191.169 port 13156 ssh2

May 10 15:56:18 brootforce-ssh: Accepted password for root from 14.208.51.173 port 55905 ssh2

May 10 18:51:40 brootforce-ssh: Accepted password for root from 1.93.29.133 port 39658 ssh2

May 11 06:04:11 brootforce-ssh: Accepted password for root from 65.23.154.117 port 44982 ssh2

May 11 09:22:28 brootforce-ssh: Accepted password for root from 116.10.191.179 port 53557 ssh2

May 11 09:26:01 brootforce-ssh: Accepted password for root from 116.10.191.179 port 14802 ssh2

May 11 13:38:28 brootforce-ssh: Accepted password for root from 14.208.44.238 port 52283 ssh2

May 11 15:15:07 brootforce-ssh: Accepted password for root from 116.10.191.180 port 14822 ssh2

May 11 15:15:56 brootforce-ssh: Accepted password for root from 116.10.191.180 port 39814 ssh2

May 11 15:44:03 brootforce-ssh: Accepted password for root from 14.208.46.230 port 63691 ssh2

May 11 17:21:22 brootforce-ssh: Accepted password for root from 116.10.191.170 port 33617 ssh2

May 11 17:24:59 brootforce-ssh: Accepted password for root from 116.10.191.170 port 8542 ssh2

May 11 17:33:56 brootforce-ssh: Accepted password for root from 116.10.191.170 port 14437 ssh2

May 11 17:37:32 brootforce-ssh: Accepted password for root from 116.10.191.170 port 58597 ssh2

May 11 22:07:28 brootforce-ssh: Accepted password for root from 113.142.37.114 port 53710 ssh2

May 11 22:48:09 brootforce-ssh: Accepted password for root from 113.142.37.114 port 54311 ssh2

May 11 23:36:31 brootforce-ssh: Accepted password for root from 113.142.37.114 port 54985 ssh2

May 11 23:37:44 brootforce-ssh: Accepted password for root from 113.142.37.114 port 55577 ssh2

May 11 23:42:21 brootforce-ssh: Accepted password for root from 113.142.37.114 port 56176 ssh2

May 12 00:35:06 brootforce-ssh: Accepted password for root from 65.23.154.117 port 36749 ssh2

May 12 07:30:23 brootforce-ssh: Accepted password for root from 61.174.51.198 port 30083 ssh2

May 12 07:34:54 brootforce-ssh: Accepted password for root from 61.174.51.198 port 45232 ssh2

May 12 11:18:45 brootforce-ssh: Accepted password for root from 61.160.213.171 port 2881 ssh2

May 12 15:04:35 brootforce-ssh: Accepted password for root from 14.208.46.230 port 65025 ssh2

May 12 15:54:26 brootforce-ssh: Accepted password for root from 195.54.166.10 port 49914 ssh2

May 12 17:03:26 brootforce-ssh: Accepted password for root from 61.174.51.219 port 34729 ssh2

May 12 17:05:03 brootforce-ssh: Accepted password for root from 14.208.46.230 port 53180 ssh2

May 12 17:05:19 brootforce-ssh: Accepted password for root from 61.174.51.219 port 46475 ssh2


По данным WHOIS, программы для брутфорса заходили, в основном, с подсетей Китая. Также были замечены попытки входа из Америки и России. Девятого мая наблюдалась повышенная активность. Порадовал неудавшийся запрос с Украины на один из серверов Яндекса:

May 12 15:54:26 brootforce-ssh: Accepted password for root from 195.54.166.10 port 49914 ssh2

May 12 15:54:26 brootforce-ssh: pam_unix(sshd:session): session opened for user root by (uid=0)

May 12 15:54:26 brootforce-ssh: Received request to connect to host 93.158.134.198 port 80, but the request was denied.

May 12 15:54:27 brootforce-ssh: pam_unix(sshd:session): session closed for user root


Отсюда можно сделать вывод: если используешь для управления пароли - сразу устанавливай сложные. И не важно: электронная почта, админка для управления сайтом/сервером, или удалённый доступ к небольшой организации, которую обслуживаешь. Программам безразлично что сканировать.

Материал опубликован 12 мая 2014

в разделе: "Статьи".


Team PERMSITE
develop, support and security of your site.

Команда ПЕРМСАЙТ
© 2009-2017, автор: Юрий Токарев.