Researchers set up honeypots to learn how cybercriminals find and attack poorly protected Secure Shell (SSH)-enabled servers. Learn what the researchers found so you can protect your devices.

Companies often enable Secure Shell (SSH) in servers, network attached storage (NAS), and other devices so that users can remotely access them. Security experts highly recommend using public-key authentication with SSH-enabled devices. However, some businesses still use password-based authentication, which leaves these devices vulnerable, particularly if questionable credentials are used.

To see just how vulnerable, Sophos security researchers set up 10 decoy SSH-enabled servers (aka honeypots) to use password-based authentication. The honeypots were set up in Amazon Web Services (AWS) data centers around the world, including California, Ohio, and Sao Paulo, Brazil.

It took cybercriminals only 52 seconds to find and attack the honeypot in Sao Paulo. Hackers did not waste any time attacking the other honeypots either. It took them less than 5 minutes to find the one in Ohio and less than 15 minutes to find the decoy in California. Overall, cybercriminals made 5.4 million attempts to log in to the 10 honeypots over a 30-day period. On average, each server was attacked 757 times every hour.

What the Researchers Learned

The speed in which the honeypots were found and the sheer number of login attempts confirmed the general assumption that hackers take advantage of automated tools to carry out SSH attacks. First, they run scripts to locate servers connected to the Internet. Then, they try to access those machines by using brute-force credential-cracking tools, which systematically try username and password combinations.

The honeypots recorded the usernames and passwords tried in the login attempts. After combining the login details from all 10 honeypots, the researchers found that “root” and “admin” topped the list of most-tried usernames. This didn’t surprise the researchers because they are the default usernames for many different types of devices. For example, most Linux devices ship with the default username of “root”, while Seagate, Verbatim, and Lacie NAS devices ship with the default username of “admin”.

Similarly, default passwords were frequently used in the brute-force attacks. For instance, hackers often tried “password” (the default password of Digicom routers and Lacie NAS devices) and “ubnt” (the default password of Ubiquiti Networks devices). Many weak passwords were also tried, including those based on keyboard patterns like “1q2w3e4r”.

The bottom line is that cybercriminals know some businesses use password-based authentication with SSH devices. They also know it’s not uncommon for people to leave the default credentials or change the default password to a weak one. So, hackers use automated tools to continuously scan the Internet for SSH-enabled devices and then attempt to access them with brute-force attacks.

What Happens after the Credentials Are Cracked

Besides wanting to learn how vulnerable SSH-enabled devices are when password-based authentication is used, the researchers wanted to know what happens after a cybercriminal compromises a device. To find out, the researchers allowed the honeypot hackers to log in if they used one of the credentials in a designated set of usernames and passwords. Once the cybercriminals gained access, the honeypot stored the commands they attempted to use.

The researchers found that hackers often used the compromised honeypot to launch attacks on other devices. The cybercriminals first made sure the compromised device had a valid Internet connection. If so, they used it to connect to another device. They then exploited the device, using the honeypot as a proxy.

Secure Your SSH-Enabled Devices So They Don’t Suffer the Same Fate

Using scripts and brute-force credential-cracking tools, hackers are able to easily find and compromise SSH-enabled devices. That’s why it is best to use public-key authentication rather than password-based authentication.

If that is not possible, it is crucial that you change the default username and password when you are setting up the device. The password should be strong, and the username should not be easily guessable. Plus, if your device supports it, it is a good idea to limit the number of login attempts. For example, on Linux servers, you can install and use the Fail2Ban software for this purpose.

To find out additional ways to protect your business’s SSH-enabled devices, contact us.