Wednesday, September 13, 2017

Brute Force 900k + Attempts on a New Server

Instantly we were collecting data showing the determination of people trying to gain “root” access to our Server.
Our data shows us that on the 21/August/2017 we had 150,000 failed logon attempts
We will start by describing the attack type and potential risk involved.

Attack TYPE

Brute force attack, SSH service authentic action attack
Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.
Attempts graph at the time of this report.
Brute force attack 1
Failed Logins – Failed Logins. Last 150 Events

Attack Origins

As shown in the chart below 27.1% of the attacks including the 1st IP to attempt SSH access was from China closely followed by Russia via a botnet attack.
Brute force attack 2

Duration of The Attack

This attack started on 19/08/2017 and is still ongoing at over 20k attempts per day (Please note this attack is being monitored 24/7 by Frontline Cyber Security Ltd and is against one of our test servers using honey pots).
We are sharing this information we are gathering with Action Fraud to help people detect and defend against future attacks from the target IP addresses.
Further details on this attack can be found on our Open Threat Exchange profile via the link below.

Risk to Business Explained

If this attack was to target your company servers the risks are very high depending on your password strength and server security see below (with speed of 1,000,000,000 Passwords/sec, cracking an 8-character password composed using 96 characters takes 83.5 days. But a recent research presented at Password^12 in Norway, shows that 8-character passwords are no safer. They can be cracked in 6 hours)
If they crack your root – admin password they essentially control your server so please ensure you have protection in place for example:
Rate Limiting the Login Attempts
Hiding the login page
Using htaccess
Hardware Firewall / IP Tables
Two-factor authentication enabled.
Thank you for reading.

0 comments:

Post a Comment