As many of you are aware, HexHound recently moved to new hosting. It comes as no surprise that there are bad actors out there with nothing better to do than attempt to compromise the server; what is surprising to me is the frequency of the malicious login attempts, especially considering a warning banner is posted. Thankfully I did harden this server prior to publishing it to the web and the banner doesn’t lie – logging is setup and I do report malicious IPs.
One step I didn’t take while hardening the server is moving SSH to an alternate port. I have several reasons for this –
- I don’t believe in security through obscurity.
- There are security risks to moving a service to a high port as ports >1023 are not privileged in Linux.
- Applications sometimes misbehave when a service is running on an unexpected port.
- It is hard to remember the port number.
Nevertheless, I have addressed the situation as the activity I have observed is simply obnoxious. The results below, in some ways, are due to this system functioning as an unintentional honey pot and were largely collected during the period of 2/15/2015-2/24/2015.
The Top 15 Observed Account Names
|Place||Account Name||Number of Login Attempts|
|13||ts / tomcat||201 (tie)|
Clearly root is by far and away the winner here. What’s really interesting is how this compares to the results compiled by Symantec.
Here’s Symantec’s list, with my place numbers listed next to theirs’. I have extended the places to beyond 15 for more insight.
|Place||Account Name||Number of Login Attempts||HexHound Place|
Again, it is no surprise that “root” is number one on both lists. Always, ALWAYS disable root login over SSH. If an adversary gets root access, it is gameover as root is the all-powerful user on *nix based systems. Even worse, actions taken by root are often not logged. This is one of the reasons to evoke “sudo” for privilege escalation – all those commands are logged! If possible, logs should be forwarded to another protected server so that even if the target server were compromised, you will know exactly what commands were run.
Default and developer test accounts should also be closely monitored. It is no accident that “user” and “test” (along with every variation you can think of) appear on both lists. While these accounts are not likely to be privileged accounts, gaining access is an important step towards compromise and should be taken seriously. It is also clear that the adversaries are searching for default accounts associated with common services, such as “oracle”, “mysql”, “pgsql”, and “postgres” which are all common databases; my server in particular appears to have a lot of attackers looking for gaming services such as “teamspeak” and “minecraft”. The internet is a dangerous place, be careful!