Brute Force Attack

williamthe · Post by **williamthe** » Mon May 23, 2022 4:13 pm

We’ve got an ongoing brute force attack on our SFTP server and would like some advice to understand the logs.
Please, see two examples below:

[20220523 15:03:55] [195.3.147.60] connecting

[20220523 15:03:55] [195.3.147.60] connected

[20220523 15:03:55] [195.3.147.60] SSH-2.0-PuTTY_Release_0.67

[20220523 15:03:55] [195.3.147.60] dh/kex diffie-hellman-group-exchange-sha256 ssh-rsa

[20220523 15:03:55] [195.3.147.60] client aes128-ctr hmac-sha2-256

[20220523 15:03:55] [195.3.147.60] server aes128-ctr hmac-sha2-256

[20220523 15:03:55] [195.3.147.60] [] user '' sent

[20220523 15:03:55] [195.3.147.60] [] password sent, failed...

[20220523 15:03:55] [195.3.147.60] Winsock error - 10054

[20220523 15:03:55] [195.3.147.60] [] disconnected ()

------------------------------------------------------------------------

[20220523 15:01:51] [157.230.249.70] connecting

[20220523 15:01:51] [157.230.249.70] connected

[20220523 15:01:51] [157.230.249.70] SSH-2.0-Go

[20220523 15:01:51] [157.230.249.70] dh/kex diffie-hellman-group14-sha1 ssh-rsa

[20220523 15:01:51] [157.230.249.70] client aes128-ctr hmac-sha2-256-etm@openssh.com

[20220523 15:01:51] [157.230.249.70] server aes128-ctr hmac-sha2-256-etm@openssh.com

[20220523 15:01:52] [157.230.249.70] [azroot] user 'azroot' sent

[20220523 15:01:53] [157.230.249.70] [azroot] password sent, failed...

[20220523 15:01:53] [157.230.249.70] [azroot] disconnected (azroot)

[20220523 15:01:53] [157.230.249.70] connecting

[20220523 15:01:53] [157.230.249.70] connected

[20220523 15:01:53] [157.230.249.70] SSH-2.0-Go

[20220523 15:01:53] [157.230.249.70] dh/kex diffie-hellman-group14-sha1 ssh-rsa

[20220523 15:01:53] [157.230.249.70] client aes128-ctr hmac-sha2-256-etm@openssh.com

[20220523 15:01:53] [157.230.249.70] server aes128-ctr hmac-sha2-256-etm@openssh.com

[20220523 15:01:55] [157.230.249.70] [azroot] user 'azroot' sent

[20220523 15:01:55] [157.230.249.70] [azroot] password sent, failed...

[20220523 15:01:55] [157.230.249.70] [azroot] ip is temporarily banned...

[20220523 15:01:55] [157.230.249.70] [azroot] disconnected (azroot)

[20220523 15:01:55] [157.230.249.70] connecting

[20220523 15:01:55] [157.230.249.70] denied

Why at some points it shows as “connected” even being an inexistent username?

Is thos ssh-rsa lines regarding fingerprint or are they attempting to use a certificate?

I know the CORE FTP server temporarily bans the Ips, is it possible to customize for longer periods or even permanently after X numbers of attempts? [I have figured out about this one already]

Thanks in advance.