Introduction
If you have an SSH server running on the public interface, you probably know that there are failed login attempts happening all the time. There are bots scanning whole internet subnets looking for an open TCP port 22 and trying all sorts of popular logins and weak passwords. I wanted to know what passwords and logins are they actually using. There is no problem with logins – audit.log should show them. It’s a different story with passwords. They are not logged even if you configure maxium possible debugging level in OpenSSH server. There is a good reason for doing so – it might violate privacy and pose a security threat.
How did I do that?
The cleanest way to do this is to modify OpenSSH source code. I used OpenSSH 6.4p1 version.
You only need to insert one line using logit function in auth-passwd.c file:
[root@krupa src]# diff -r openssh-6.4p1 openssh-6.4p1_mod diff -r openssh-6.4p1/auth-passwd.c openssh-6.4p1_mod/auth-passwd.c 82a83 > logit("Password, username is: %s-----%s",authctxt->user,password);
/* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int auth_password(Authctxt *authctxt, const char *password) { logit("Password, username is: %s-----%s",authctxt->user,password); struct passwd * pw = authctxt->pw; int result, ok = authctxt->valid; #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) static int expire_checked = 0; #endif #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); if (ret == 1 || ret == 0) return ret && ok; /* Fall back to ordinary passwd authentication. */ } #endif #ifdef HAVE_CYGWIN { HANDLE hToken = cygwin_logon_user(pw, password); if (hToken == INVALID_HANDLE_VALUE) return 0; cygwin_set_impersonation_token(hToken); return ok; } #endif #ifdef USE_PAM if (options.use_pam) return (sshpam_auth_passwd(authctxt, password) && ok); #endif #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) if (!expire_checked) { expire_checked = 1; if (auth_shadow_pwexpired(authctxt)) authctxt->force_pwchange = 1; } #endif result = sys_auth_passwd(authctxt, password); if (authctxt->force_pwchange) disable_forwarding(); return (result && ok); }
The results
Over the course of approximately 10 months I was able to gather 1315543 attempts which is about 3 per minute!
There were only 172304 unique combinations.
Top 100 login+password combinations
count login password
5493 root admin 2883 root 123456 2505 root password 2439 root root 2423 root root123 2376 root \001 2336 root 1234 2330 root 1qaz2wsx 2274 root redhat 2252 root passw0rd 2217 root 12345678 2178 root 123123 2177 root admin123 2130 root 1q2w3e4r 2113 root P@ssw0rd 2097 root qwe123 2086 root 12345 1995 root abc123 1985 root 1234567890 1958 root 123 1925 root 1q2w3e 1877 root 123456789 1834 root root@123 1815 root 111111 1794 root Passw0rd 1751 root toor 1748 root 123qwe!@# 1745 root qweasd 1743 root 2wsx3edc 1731 root root1234 1720 root rootroot 1711 root master 1710 root rootme 1709 root zaq12wsx 1696 root 123qwe 1694 root 142536 1693 root 112233 1687 root abcd1234 1660 root 123.com 1657 root manager 1656 root 654321 1641 root data 1636 root 123abc 1633 root cisco 1629 root welcome 1622 root q1w2e3r4t5 1612 root 123qweasd 1601 root qazxsw 1600 root q1w2e3r4 1598 root test 1562 root 1234567 1560 root 1qaz@WSX 1557 root qwer1234 1554 root test123 1552 root 1q2w3e4r5t 1539 root oracle 1539 root 1qazxsw2 1526 root admin@123 1505 root qwerty 1502 root 8812345 1501 root letmein 1474 root master123 1471 root 225588 1454 root administrator 1453 root temporal 1450 root 666666 1448 root p@ssw0rd 1447 root 123qwe123 1441 root 123!@# 1441 root 11111111 1426 root 123465 1424 root changeme 1422 root 123321 1418 root r00t 1411 root 123.321 1404 root qazwsx 1404 root monitor 1392 root default 1387 root firewall 1373 root 888888 1372 root huawei 1364 root samsung 1360 root pass123 1357 root qwe123!@# 1356 root asdf 1355 root !QAZ2wsx 1355 root power 1355 root 1212 1354 root pass 1352 root P@$$w0rd 1347 root password1 1345 root Password 1343 root 65432! 1341 root P@ssword 1341 root 88888888 1340 root Admin@123 1328 root a123456 1321 root system 1313 root Abc123 1311 root 789789
Top 100 users
count user
1106979 root 94632 admin 3140 test 2917 oracle 2063 postgres 2029 nagios 1793 krupa 1785 pw 1685 bin 1642 user 1539 guest 1527 ftpuser 1296 mysql 1024 testuser 950 info 927 ftp 820 backup 815 support 774 webmaster 705 git 605 teamspeak 560 web 555 usuario 548 www 511 tomcat 509 postmaster 502 suporte 461 teste 423 deploy 400 www-data 380 zabbix 356 webadmin 353 ubuntu 348 test2 331 svn 331 alex 316 apache 309 test1 304 ftptest 291 student 289 minecraft 275 ts 274 jboss 245 jenkins 242 master 228 redmine 218 test3 217 ts3 216 cyrus 213 jira 205 testftp 205 cacti 203 teamspeak3 201 nobody 199 user1 188 hadoop 181 webuser 175 news 174 adm 170 a 168 sales 162 db2inst1 159 prueba 159 john 157 testing 156 office 156 mythtv 150 temp 148 demo 145 weblogic 141 tom 141 david 139 cron 138 tester 137 mail 132 vyatta 131 postfix 129 gitosis 124 service 121 bash 118 server 115 michael 114 gitolite 113 linux 113 daemon 113 ben 110 ivan 109 operator 108 public 108 mike 108 jack 106 http 105 upload 105 rsync 105 daniel 105 anna 104 informix 104 ghost 102 pi 102 deployer
There are quite a lot of attempts using my domain name which means those bots have some adaptation abilities.
Top 100 passwords
count password
9747 123456 6759 admin 5863 password 4362 1234 3826 12345 3530 123 3490 root 3475 1qaz2wsx 3414 test 3339 123123 3259 abc123 3258 root123 3121 12345678 3085 qwe123 3073 admin123 3069 passw0rd 3053 P@ssw0rd 3037 redhat 3007 1q2w3e4r 2745 1234567890 2617 test123 2610 Passw0rd 2609 111111 2604 zaq12wsx 2587 123qwe 2580 root@123 2520 qweasd 2494 112233 2484 oracle 2464 2wsx3edc 2428 master 2424 142536 2422 toor 2420 123qwe!@# 2410 rootme 2376 123456789 2376 \001 2366 data 2338 manager 2332 qwerty 2323 root1234 2316 welcome 2293 rootroot 2288 cisco 2281 qazxsw 2275 q1w2e3r4t5 2258 123.com 2216 1q2w3e 2216 123abc 2195 123qweasd 2163 abcd1234 2152 1234567 2133 letmein 2115 8812345 2103 1qazxsw2 2089 123!@# 2085 225588 2082 123465 2078 master123 2073 q1w2e3r4 2073 admin@123 2065 qwer1234 2053 temporal 2050 123.321 2044 123qwe123 2029 1qaz@WSX 2025 654321 2008 changeme 1988 pass 1979 monitor 1966 666666 1934 1212 1929 1 1919 firewall 1887 qwe123!@# 1874 r00t 1871 qazwsx 1869 1q2w3e4r5t 1851 65432! 1840 p@ssw0rd 1834 administrator 1831 default 1827 Admin@123 1825 pass123 1810 P@$$w0rd 1803 789789 1793 Abc123 1776 123321 1772 root123!@# 1765 aa123456 1765 147147 1763 11111111 1754 password1 1752 q123456 1723 tang 1717 admin123# 1717 888888 1715 huawei 1709 system 1701 adminadmin
Conlusion
Is it a problem? It should not be unless you use one of those passwords. It only creates unnecessary noise in the log files.
If you are concerned about someone guessing your password you can change the port SSH listens on, but there are good reasons not to. I would recommend reading that article even though the author goes to the extreme saying it is absolutely a bad idea. Moving SSH port to some unpredictable value will not protect you from targeted attack but will allow you to buy more time to patch your system in case there is 0day attack on the OpenSSH server and the bots will rush to compromise as many systems as possible as fast as possible – they will scan port 22 only to speed up the process.