Who is Trying to Compromise Your SSH Server ? An Analysis of Authentication Logs and Detection of Bruteforce Attacks

Abstract

Secure Socket Shell (SSH) allows users to connect and access the system remotely through a publicly exposed interface. These systems often become the target of attacks where an intruder attempts to break into a system by guessing login credentials. These login attempts are generally recorded into a log file by the server. Our contribution in this paper is twofold. First we report on a case study using logs of an SSH server deployed in a production environment. Using a dataset collected over a span of one month with more than one hundred thousand connection records, we study various types of failed login attempts, common usernames being attempted, recurrence of attack sources over time and geographical location of attackers. Our case study reveals that attackers attempt various methods to break into the system, there are few common usernames which were tried persistently, origin of attacks are well spread and more than a handful number of sources make repeated attempts to break into the system spanning weeks. As a second contribution, we propose a method to differentiate failed and successful login attempts using network flow level statistics and subsequently use them to detect attacks. We experiment with flow records labelled with ground truth and show that proposed method is able to identify logins which are failed as well as successful.