* 122,094 (~35%) are in the rockyou dump (which has 14,344,391 unique entries)
* 2898 passwords in my list of cracked linkedin passwords, excluding those in the rockyou dump (2,002,484 unique entries)
* 27,639 are in the phpbb dump i have (184,344 unique entries)
If you're running an ssh server that allows password authentication, make sure you're also running fail2ban.[1] Too many failed login attempts will block the IP (at an iptables level) for a configurable time period.
It looks like ever wrote the scanner (that hit this honeypot) thought it would be a great idea to count on instances where terminal becomes laggy/crashes during a password change.
Adminstrator would then set a new password by an accident.
Hang any SSHD on the internet, and within minutes you get these attempts. You can choose to log the passwords if you like and this is what you would see.
At work we have to send data to a few third parties, it's pretty much up to them how they set up their end. I think everything is using SFTP at least, but a few still have passwords rather than keys. The accounts are restricted so you can't get a full shell though. My guess is these systems are designed by non-technical people who don't really understand the issues.
I'm considering using those yubikey modes for ssh or local login on certain servers and in certain situations, though it requires some changes on each server to enable it.
I'm quite fond of the Yubikey NEO's openpgp applet paired with gpg-agent's ability to act as a compatible ssh-agent, allows standard SSH key login to any server with no server changes at all. I love the idea of my GPG and SSH key being truly portable in a very reasonably sized formfactor as well.
I would be curious to know why this got downvoted. I went looking for "correct horse battery staple" and then realized that apparently the bots hadn't tried any passwords with spaces in them, but also that the patch uses spaces as a delimiter...
Alternatively or in addition, add a firewall rule to permanently ban any IPs after too many failed attempts or simultaneous connections, make sure root login is disabled, and/or put sshd on a non-standard port (I find the last one a bit of security theater, but it will reduce some wasted traffic if nothing else.) Here's my pf rule for ssh (brute force filter):
table <sshbans> persist
block quick from <sshbans>
pass quick proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <sshbans> flush global)
Raise the values a bit if you have other SSH users on your box.
I get about 50 new bans a day. It's pretty much guaranteed if you have a server on the web with port 22 open, that bots will be attempting to brute-force it.
[+] [-] ryan-c|11 years ago|reply
There's 350,032 unique passwords in there.
* 122,094 (~35%) are in the rockyou dump (which has 14,344,391 unique entries) * 2898 passwords in my list of cracked linkedin passwords, excluding those in the rockyou dump (2,002,484 unique entries) * 27,639 are in the phpbb dump i have (184,344 unique entries)
[+] [-] anonfunction|11 years ago|reply
[1] https://github.com/montanaflynn/palindromes/
Edit: I also pulled some more stats out of just the passwords:
[+] [-] ryan-c|11 years ago|reply
[+] [-] machrider|11 years ago|reply
[1]: http://www.fail2ban.org/wiki/index.php/Main_Page
[+] [-] jlgaddis|11 years ago|reply
[+] [-] ryan-c|11 years ago|reply
https://github.com/jtniehof/pam_shield
Back in the day, disabling password auth but leaving keyboard_interactive on would stop a lot of these things, but I don't think that's true any more.
[+] [-] trashcan|11 years ago|reply
Probably best to just whitelist SSH to known IPs.
[+] [-] joshavant|11 years ago|reply
[+] [-] hoers|11 years ago|reply
http://danielmiessler.com/blog/security-and-obscurity-does-c...
[+] [-] dsl|11 years ago|reply
'hunter2' is in the list.
[+] [-] VonGuard|11 years ago|reply
[+] [-] ryan-c|11 years ago|reply
[+] [-] pdoconnell|11 years ago|reply
[+] [-] korzun|11 years ago|reply
Adminstrator would then set a new password by an accident.
My theory anyways.
[+] [-] gburt|11 years ago|reply
[+] [-] wglb|11 years ago|reply
[+] [-] w8rbt|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] jamiesonbecker|11 years ago|reply
[+] [-] imron|11 years ago|reply
If it's important enough to still need a password on top of that, the password can go on the key.
[+] [-] lucaspiller|11 years ago|reply
[+] [-] sebastianavina|11 years ago|reply
[+] [-] ytch|11 years ago|reply
[+] [-] dmix|11 years ago|reply
[+] [-] uzonite|11 years ago|reply
[+] [-] feld|11 years ago|reply
[+] [-] mrsteveman1|11 years ago|reply
I'm quite fond of the Yubikey NEO's openpgp applet paired with gpg-agent's ability to act as a compatible ssh-agent, allows standard SSH key login to any server with no server changes at all. I love the idea of my GPG and SSH key being truly portable in a very reasonably sized formfactor as well.
[+] [-] peteretep|11 years ago|reply
[+] [-] peteretep|11 years ago|reply
[+] [-] Terretta|11 years ago|reply
[+] [-] tedunangst|11 years ago|reply
[+] [-] byuu|11 years ago|reply
[+] [-] jijji|11 years ago|reply
[+] [-] byuu|11 years ago|reply
I get about 50 new bans a day. It's pretty much guaranteed if you have a server on the web with port 22 open, that bots will be attempting to brute-force it.