Spike in failed SSH logins could be beginnings of a coordinated attack, ISC says

Networks around the country are seeing evidence of what may be a coordinated attack on SSH servers. The folks at the Internet Storm Center have gotten a number of reports of activity that looks like it may be distributed attempts to brute-force various accounts on SSH servers. The attacks appear to be coming from a large number of IP addresses and target one victim server, ISC’s report says.

Today we had 4 separate reports of an increase in ssh bruteforce attacks. Two of those reports stated that they were seeing lots of source hosts against a single victim. The isc.sans.org port 22 graph supports this as there has been a large increase in the source hosts seen in ssh scans during this month.

Port 22 on both TCP and UDP is the default port for the SSH remote login protocol. Attacks on SSH servers usually grab administrators’ attention right away, as the service is used by admins and other power users to login securely to remote servers. So an attacker who succeeds in brute-forcing the login credentials on an SSH server would likely have high-level access to the other resources on the network. Some of the reports that the ISC is getting from its readers indicate that the machines attempting the logins may be compromised themselves, which could suggest that they are part of a botnet looking specifically for vulnerable SSH servers.