Why do most SSH attacks seem to come from Asian countries?
 

... at least in my experience.

Whenever I watch my ssh logs and whois the violator's IPs, they are from China or Korea, etc.

Assuming (maybe bad judgment on my part) that the violating IP is probably from a victimized machine itself, why the prevalence?

Pirated Windows, no updates from MS?

That's a pretty good point.

Realistically speaking, it's hard to be sure where an attack is coming "from."

What you need to do, if you must run an "ssh" daemon, is to review the security-options that it supports. The configuration is slightly stilted ... a few too more options than it really needs to have, and maybe not the best descriptions for them ... but there's a lot there. You can, for example, use digital certificates.

Also consider using the VPN capability of even a run-of-the-mill office router. Once again, if you get beyond the stupidly-simple "shared secret" authentication methods that the quickstart guides tend to offer you, it's actually quite simple to put a nearly-impregnable barrier between you and the Internet ... yet it is one that you (alone) can pass through as if by magic.

Remember: it should be quite difficult for an outsider to reach "a password prompt" on your systems, by any means whatever.

What do they check, every morning as you walk into the building on the way to your (locked) office? Your badge. If you don't have that, your door-key is quite useless because you won't even make it that far.

sundialcvs,

I appreciate your response. However, I am not trying to start a new "how to secure SSH" thread. I'm just curious why it appears that all of the IPs are registered in the East. Wondering if there's an agenda, political or philosophical, etc. Possibly that it's simply easier to victimize those machines due to their pirated status, as Emerson offered.

Just curiosity taking hold ...

Looking at http://www.internetworldstats.com/stats.htm you see that right now Asia has the most netizens, followed by Europe and Northern America in third place. So by total amount of users the chance it's a scan from Asia should be much higher, and your experience correlates (for now) with http://www.mynetwatchman.com/LIS.asp?Queue=HBRD (select incident reports, "Largest Incidents 7 Days").

Changing scope, a different spread is shown however in the historical view of http://www.incidents.org/country.html (select all countries, port 22, date 2004), http://www.shadowserver.org/wiki/pmw...cations#tables and Honeynets in other locations like http://www.honeypots-alliance.org.br/stats/flows/cc/ (Top Source Country Codes) and http://www.honeynet.cz/?mmenu=statis...ang=en&vmetr=1 (top 10 countries biggest number of attacks). While it is third in the internetworldstats you see it appears Northern America being responsable for a large, and in some places largest, portion of scans. BTW you should also notice that for instance http://www.juniper.net/security/honeypot/ doesn't even mark TCP/22 as the most scanned port anymore. Most previously mentioned sources agree.

While there are people who scan whole class A networks from their own machines I doubt most (semi-) professional teams do that. And since obviously the most common practice is to use subverted machines as gateways you cannot determine who's behind it unless the scanner makes a mistake or gets trapped in a honeypot. Even then chances are you only have the puppet and not the master (http://ddanchev.blogspot.com/, anything RBN-related or botnet stats on shadowserver.org). After all the 'net is a twentyfour-slash-seven business and you could well field any amount of teams across TZs to do the work for you.

I would dig the ClippyOS remark if it made sense in terms of power, efficiency (automated activity) or monetary value, but I think a large portion of scanners are not ClippyOS-based but using GNU/Linux ("follow the money", virus activity, malware, next to ddanchev also see http://honeynet.org.au/?q=node/16 and http://www.honeynet.org.cn/index.php...d=80&Itemid=33). GNU/Linux usage would be easier to explain since next to open proxies and full-out frontal compromises there's a lot of misconfiguration that causes easy entry. If you wade through lists of IPs from Asia you should frequently find ISP, university and company MTA's, DNSes, gateways and whatnot. While misconfiguration is not typically something only Asia suffers from, it's clear they continue to suffer from structural problems throughout their whole chain ranging from APNIC being in constant upheaval, CERTs being powerless, ISPs not caring or unable to communicate with to ISPs, institutes, companies and home users using outdated software and not adhering to any best practices.


So, in kinda "executive overview"-stylee that would be IMHO:
Q: TCP/22?
A: Depending on view not even in the top-10.
Q: Asia only?
A: No. Stats show it depends on location.
Q: Asia "more evil" or active compared to say Northern America?
A: No. Stats show definately not.


@ECHO OFF
REM Anyone seeing anything to correct: BMG.

Wow! Thanks for all the links! I'll have to review as I have time.

You're welcome. It is nice to try and get a macro view of things once in a while...