Localized SSH bruteforce attempts

Lately, my honeypot has seen an upsurge in SSH bruteforce login attempts. Among quite a few attackers, one particular IP address in Italy – 79.0.43.89 – is seen more often than the others. I’m seeing login attempts from this IP on other systems as well, so this is a busy one.

What’s funny about this round is that the attackers seem to use localized name lists, as I’ve registered a lot of Norwegian-looking names. The attacker/botnet script tests SSH logins with login name and the number 1 appended to it as a password (e.g. adam / adam1), so if your password is your login name + 1 you should change it ASAP 🙂

It’s also worth noting that there are only boys’ names on the list…

This is the most recent extract:

adam
aleksander
anders
andre
andreas
arne
aslak
bendik
bjorn
christian
daniel
eirik
erik
feliks
gabriel
geir
gunnar
henrik
henry
inge
isak
jacob
jason
jo
johan
jonas
junior
knut
konrad
kristian
lars
lasse
magnus
marius
markus
martin
ole
pal
peter
philip
runar
sander
sigve
simen
sindre
snorre
stian
sveinung
thor
thorbjorn
tom