The SSH protocol is ubiquitous on today’s Internet and is mainly used for remote administration of servers. Usernames and associated passwords (or keys) are typically used to access SSH servers. The combination of a common username and a password that is difficult to guess provides extensive access to the systems and is therefore an attractive target for attackers. As real quantum computers approach in time, post-quantum cryptography also becomes more relevant alongside existing password attacks. In this work, we logged SSH brute-force attempts over a period of 7 months using a honeypot in the US to analyze the current attack behavior. Our results show that SSH attackers do not use PQC algorithms and prefer traditional cryptography. Furthermore, we confirm typical attack patterns from previous work, but also show relevant attack days of the year, mainly during holidays, and identify regional irregularities in the origin of IP addresses. In addition, we analyze the attack behavior of the 2024 discovered xz-Utils backdoor.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Unmasking SSH Attackers: A Study on Brute-Force Attempts and Cryptographic Usage

  • Bastian Buck,
  • Tobias Heer

摘要

The SSH protocol is ubiquitous on today’s Internet and is mainly used for remote administration of servers. Usernames and associated passwords (or keys) are typically used to access SSH servers. The combination of a common username and a password that is difficult to guess provides extensive access to the systems and is therefore an attractive target for attackers. As real quantum computers approach in time, post-quantum cryptography also becomes more relevant alongside existing password attacks. In this work, we logged SSH brute-force attempts over a period of 7 months using a honeypot in the US to analyze the current attack behavior. Our results show that SSH attackers do not use PQC algorithms and prefer traditional cryptography. Furthermore, we confirm typical attack patterns from previous work, but also show relevant attack days of the year, mainly during holidays, and identify regional irregularities in the origin of IP addresses. In addition, we analyze the attack behavior of the 2024 discovered xz-Utils backdoor.