
Patch to Log SSH Passwords – One Year Results - w8rbt
http://w8rbt.org/patches/
======
ryan-c
So, some stats:

There's 350,032 unique passwords in there.

* 122,094 (~35%) are in the rockyou dump (which has 14,344,391 unique entries) * 2898 passwords in my list of cracked linkedin passwords, excluding those in the rockyou dump (2,002,484 unique entries) * 27,639 are in the phpbb dump i have (184,344 unique entries)

~~~
anonfunction
I also detected 1893 palindromes out of 350064 total lines. Finally a
(laughable) real-world use for my palindrome detection project[1].

[1]
[https://github.com/montanaflynn/palindromes/](https://github.com/montanaflynn/palindromes/)

Edit: I also pulled some more stats out of just the passwords:

    
    
      Total characters: 2938676
      Average character count: 8.39544955889747
      Median character count: 6
      Maximum character count: 294

------
machrider
If you're running an ssh server that allows password authentication, make sure
you're also running fail2ban.[1] Too many failed login attempts will block the
IP (at an iptables level) for a configurable time period.

[1]:
[http://www.fail2ban.org/wiki/index.php/Main_Page](http://www.fail2ban.org/wiki/index.php/Main_Page)

~~~
joshavant
If you're going for a security plan of obscurity (which, IMO, is what fail2ban
is), I'd just change the SSH port, instead.

~~~
darklajid
Now I'm confused. Why do you consider blocking someone that clearly is trying
to brute force his way in 'obscure'?

~~~
hoers
You're right, it's not.

------
dsl
I'll save you the time of downloading the full results.

'hunter2' is in the list.

~~~
VonGuard
How come when I type "hunter2" it comes up " __ __ __* "?

------
ryan-c
I wonder what's up with all the super long entries in there. Bugs in the bots?

~~~
pdoconnell
I'd guess that they're unique passwords taken from plain text password dumps
that ended up in dictionaries.

------
gburt
Wait, who is logging SSH passwords? Is this an intentional attack on OpenSSH
Portable or is it a honeypot?

~~~
wglb
Hang any SSHD on the internet, and within minutes you get these attempts. You
can choose to log the passwords if you like and this is what you would see.

~~~
xtrumanx
Wow you're right. I just setup my own VPS yesterday. Decided to check the auth
logs and the first invalid user attempt occurred less than 3 hours from my
first login.

The "POSSIBLE BREAK-IN ATTEMPT!" message worried me for a bit but a little
googling and the fact I've disabled password login calmed me down.

Presumably, changing my sshd port will drastically reduce these attempts
right? Or do attackers routinely port scan servers?

~~~
untrothy
I changed my port from 22 to a higher one and the user attempts are completely
gone.

Only nuisance is that the higher ports may be blocked, for example my uni
blocks my new ssh port so I can't connect to the vps when I'm on campus.

~~~
cheese1756
If you don't host any https websites on the VPS, using 443 will almost always
get past port blocking.

~~~
btgeekboy
Or just use both :) [https://dgl.cx/2010/01/haproxy-ssh-and-ssl-on-same-
port](https://dgl.cx/2010/01/haproxy-ssh-and-ssl-on-same-port)

------
jamiesonbecker
I just don't know why people still use passwords with SSH anyway! (ie userify
and stuff)

~~~
imron
Not sure why you're getting downvotes. I use key authentication for all my SSH
needs.

If it's important enough to still need a password on top of that, the password
can go on the key.

~~~
e12e
Huh? Always encrypt the ssh-key, and use ssh-agent for convenience. That said
it is now quite easy to set up proper two-factor authentication: eg key and
otp.

~~~
lobster_johnson
On OS X, the keychain app caches the private key password forever. Even after
a reboot. Any idea how to fix this? Ideally Keychain should ask me again (say)
an hour after my last login with the same key.

~~~
cflee
I don't think you can set this at a key-specific level, but in Keychain
Access, you can ctrl-click on the keychain and set it to lock after x min of
inactivity / when sleeping.

I'm not sure if you can put your ssh keys on a specific (non-login) keychain.

If you want those, you may want to go to Keychain Access > Preferences > First
Aid > uncheck "Keep login keychain unlocked".

~~~
rectang
You can drag-and-drop items between keychains -- you just need to enter the
passwords for both keychains when doing so.

This makes it possible to keep valuable items in one or more auxiliary
keychains set to always prompt (lock after 0 minutes). (This technique isn't a
panacea but it contributes to defense in depth.)

------
uzonite
[https://home.regit.org/2014/06/pshitt-collect-passwords-
used...](https://home.regit.org/2014/06/pshitt-collect-passwords-used-in-ssh-
bruteforce/)

------
feld
Use 2 factor auth with ssh via Yubikey or TOTP and it doesn't matter if they
try to brute force you

~~~
mrsteveman1
I'm considering using those yubikey modes for ssh or local login on certain
servers and in certain situations, though it requires some changes on each
server to enable it.

I'm quite fond of the Yubikey NEO's openpgp applet paired with gpg-agent's
ability to act as a compatible ssh-agent, allows standard SSH key login to any
server with no server changes at all. I love the idea of my GPG and SSH key
being truly portable in a very reasonably sized formfactor as well.

------
peteretep
Really no passwords with spaces in them, or a data-preparation error?

~~~
peteretep
I would be curious to know why this got downvoted. I went looking for "correct
horse battery staple" and then realized that apparently the bots hadn't tried
any passwords with spaces in them, but also that the patch uses spaces as a
delimiter...

------
tedunangst
Damn! I was certain nobody would guess my password of eight commas.

~~~
byuu
Shit!! Someone guessed my password as well, on line 1120!

    
    
        000000.000000000**0000000000000000000ooooo000111222333000OOO00OO0O0O0011447700384zxh.007Martin00idc805188..e0102030114110123.01234.01234.*012345601234567.*0123456789!@0123lhb0123014785236901601hr0205\\023022-58810235025516700270301fjfzw1=-03110368350037804047
    

I thought for sure a 260-character password with 1,560 bits of entropy would
be sufficient. I better go change it right away :O

------
jijji
use ssh keys or use iptables whitelisting on all your boxes

~~~
byuu
Alternatively or in addition, add a firewall rule to permanently ban any IPs
after too many failed attempts or simultaneous connections, make sure root
login is disabled, and/or put sshd on a non-standard port (I find the last one
a bit of security theater, but it will reduce some wasted traffic if nothing
else.) Here's my pf rule for ssh (brute force filter):

    
    
        table <sshbans> persist
        block quick from <sshbans>
        pass quick proto tcp from any to any port ssh \
          flags S/SA keep state \
          (max-src-conn 15, max-src-conn-rate 5/3, \
          overload <sshbans> flush global)
    

Raise the values a bit if you have other SSH users on your box.

I get about 50 new bans a day. It's pretty much guaranteed if you have a
server on the web with port 22 open, that bots will be attempting to brute-
force it.

