Researchers from the Internet Storm Center alert for a possible increase in the number of bruteforce attacks on root accounts via ssh. Since mid-november there would be a clear increase in the number of attacks on port 22.
“We have messages about the ongoing bruteforce attacks on the root-account via ssh,” said Guy Bruneau of ISC in a blogposting. “This is all about a week to the course from different ip addresses. I also have the similar activities seen on any of my servers since mid-november.”
From data of Dshield.org it appears that there has been, since november 15, a significant increase in the number of attack attempts on port 22 is reported. Dshield is a system that is fed by firewall logs by administrators voluntarily shared. On the basis of the data that is submitted can attack patterns to be recognized.
The peak was on november 15, with almost 130,000 reported attack attempts. Since then, the number of attempts dropped and rocked it in recent days around 100,000. Also Tweakers.net is an increased level of activity. Since 6 november, there are on one of the servers already 11.100 attempts to log in as root, coming from 141 different ip addresses. Also, we noticed a lot of bruteforce attacks with usernames. In the month of november were more than 57.500 attempts.
Although in the past there are periods with significantly more attack attempts on port 22, the increase for the ISC apparently remarkable enough to pay attention to it. The security researchers advise managers to not using the default port for a server to ssh and never as root, log in to a system, but as a regular user to login and, if necessary, to sudo.
