Muppet SSH brute-forcer

More and more muppets seem to think brute-forcing account passwords over SSH is the way to go. I have no idea what tool they use, but all of the recent brute-force attempts were marked by the tool disconnecting with 'Bye Bye'.

The "Failed password" log messages used to puzzle me, as the particular sshd in the following example only allows key authentication. It turns out that the records are caused by a modified ssh client which is hard coded to always attempt password authentication, even if the sshd does not support such.

You have little reason to worry about this. Do not move your sshd to a different port to avoid the noise in the log messages. Instead, allow only key-based authentication. (Rationale: Why the World Needs Strong Authentication). Configure your log analyser to not alert you about these entries and get on with your life. If you disable password authentication in your sshd, connecting clients will be told that password authentication is not supported. Any client that still attempts password authentication at this point is hardcoded to violate the SSH protocol and you may safely assume it to be malicious.

Normally it is considered bad practise to log the actual password with the failed password attempt. However, when your sshd disallows password authentication and you know your authorized users won't get their password stored in plain text by accident, it might be fun to see what passwords these guys are trying.

For the most part, the passwords are probably default passwords for MySQL installs and so on (default passwords are evil!) yet 'john', 'william' and 'administrator' are hardly accounts often found on random UNIX systems.

If you cannot get rid of password authentication, try again. If that fails use a packet filter to limit the IP addresses that can connect to your sshd.

Googling for 'sshd "bye bye"' reveals recent posts to Incidents list, but no real usable information. The source of these silly attacks all appear to be Linux machines.

sshd[20178]: Illegal user test from 210.127.243.85
sshd[20558]: input_userauth_request: illegal user test
sshd[20558]: Failed password for illegal user test from 210.127.243.85 port 45024 ssh2
sshd[20558]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[22571]: Illegal user guest from 210.127.243.85
sshd[2814]: input_userauth_request: illegal user guest
sshd[2814]: Failed password for illegal user guest from 210.127.243.85 port 45048 ssh2
sshd[2814]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[23756]: Illegal user admin from 210.127.243.85
sshd[27715]: input_userauth_request: illegal user admin
sshd[27715]: Failed password for illegal user admin from 210.127.243.85 port 45084 ssh2
sshd[27715]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[17588]: Illegal user admin from 210.127.243.85
sshd[30925]: input_userauth_request: illegal user admin
sshd[30925]: Failed password for illegal user admin from 210.127.243.85 port 45131 ssh2
sshd[30925]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[17911]: Illegal user user from 210.127.243.85
sshd[20421]: input_userauth_request: illegal user user
sshd[20421]: Failed password for illegal user user from 210.127.243.85 port 45173 ssh2
sshd[20421]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[7859]: Failed password for root from 210.127.243.85 port 45209 ssh2
sshd[7859]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[28190]: Failed password for root from 210.127.243.85 port 45246 ssh2
sshd[28190]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[16380]: Failed password for root from 210.127.243.85 port 45280 ssh2
sshd[16380]: Received disconnect from 210.127.243.85: 11: Bye Bye
sshd[14223]: Illegal user test from 210.127.243.85
sshd[11124]: input_userauth_request: illegal user test
sshd[11124]: Failed password for illegal user test from 210.127.243.85 port 45315 ssh2
sshd[11124]: Received disconnect from 210.127.243.85: 11: Bye Bye