Brute Force 900k + Attempts on a New Server

Brute Force Attack Report – This article is going to cover an attack we have had on a new network from the second it was connected to the internet.

Instantly we were collecting data showing the determination of people trying to gain “root” access to our Server.

Our data shows us that on the 21/August/2017 we had 150,000 failed logon attempts

We will start by describing the attack type and potential risk involved.

Attack TYPE

Brute force attack, SSH service authentic action attack

Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.

Attempts graph at the time of this report.

Failed Logins – Failed Logins. Last 150 Events

Attack Origins

As shown in the chart below 27.1% of the attacks including the 1^st IP to attempt SSH access was from China closely followed by Russia via a botnet attack.

Duration of The Attack

This attack started on 19/08/2017 and is still ongoing at over 20k attempts per day (Please note this attack is being monitored 24/7 by Frontline Cyber Security Ltd and is against one of our test servers using honey pots).

We are sharing this information we are gathering with Action Fraud to help people detect and defend against future attacks from the target IP addresses.

Further details on this attack can be found on our Open Threat Exchange profile via the link below.

https://otx.alienvault.com/pulse/5999a448c8f3d01e51964283/

Risk to Business Explained

If this attack was to target your company servers the risks are very high depending on your password strength and server security see below (with speed of 1,000,000,000 Passwords/sec, cracking an 8-character password composed using 96 characters takes 83.5 days. But a recent research presented at Password^12 in Norway, shows that 8-character passwords are no safer. They can be cracked in 6 hours)

If they crack your root – admin password they essentially control your server so please ensure you have protection in place for example:

Rate Limiting the Login Attempts

Hiding the login page

Using htaccess

Hardware Firewall / IP Tables

Two-factor authentication enabled.

Thank you for reading.

About the author: Frontline Cyber Security Ltd

Company Registration Number 10803746 Newark

Nottinghamshire – United Kingdom

contact@frontlinecybersecurity.com

https://frontlinecybersecurity.com

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Brute force attack, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.