Security experts are warning about a fresh round of attacks against SSH implementations. The attacks are brute-force attempts to authenticate to remote SSH servers, a tactic that has been used quite often in the past in distributed attacks.
The attacks, which the handlers at the SANS Internet Storm Center have been following, are simple and have a simple goal: gain access to the remote SSH server. The attacks often come from a slew of different IP addresses and may come one right after another, with a number of attempts within a few minutes.
The source IP addresses vary with each new attempted username in the
wordlist, which would indicate that the attempts are distributed through
botnet(s). It only takes a single user with a weak password for a
breach to occur, then with that foothold escalation and further attacks
are likely next.
A further analysis of the attacks by Tom Liston at the SANS ISC found that the attackers are attempting to connect to the SSH servers by using the alternative keyboard-interactive authentication method. In the past, many of the large, distributed SSH attacks have used the simpler password authentication method and just run through a given set of potential passwords on a target server hoping to get lucky.
The SANS ISC recommend that organizations deploy their SSH servers on a port other than TCP 22 and disallow remote root logins as preventitive measures. SSH, the popular tool for establishing a secure connection to a remote machine over an insecure network, has been the target of other coordinated attacks such as this one in the last few years.