results of the analysis of attacks related to the selection of passwords to servers via SSH. During the experiment, several traps (honeypot) were launched, pretending to be an available OpenSSH server and hosted on various networks of cloud providers, such as
Google Cloud, DigitalOcean and NameCheap. For three months, 929554 attempts to connect to the server were recorded.
In 78% of cases, the attack was aimed at determining the password of the root user. The most frequently checked passwords were "123456" and "password", but the top ten also included the password "J5cmmu=Kyf0-br8CsW", probably used by some manufacturer by default.
The most popular logins and passwords:
Login
Number of attempts
Password
Number of attempts
root
729108
40556
admin
23302
123456
14542
user
8420
admin
7757
test
7547
123
7355
oracle
6211
1234
7099
ftpuser
4012
root
6999
ubuntu
3657
Password
6118
guest
3606
test
5671
postgres
3455
12345
5223
user
2876
guest
4423
Of the analyzed attempts, 128588 unique login-password pairs were identified, while 38112 of them tried to check 5 or more times. 25 most frequently checked couples:
Login
Password
Number of attempts
root
37580
root
root
4213
user
user
2794
root
123456
2569
test
test
2532
admin
admin
2531
root
admin
2185
guest
guest
2143
root
Password
2128
oracle
oracle
1869
ubuntu
ubuntu
1811
root
1234
1681
root
123
1658
postgres
postgres
1594
support
support
1535
jenkins
jenkins
1360
admin
Password
1241
root
12345
1177
pi
r
1160
root
12345678
1126
root
123456789
1069
ubnt
ubnt
1069
admin
1234
1012
root
1234567890
967
ec2 user
ec2 user
963
Distribution of scan attempts by days of the week and hours:
A total of 27448 unique IP addresses were recorded.
The largest number of checks performed from one IP is 64969. The share of checks via Tor was only 0.8%. 62.2% of the IP addresses participating in the selection were associated with Chinese subnets:
Source: opennet.ru