On the number of attempts on brute-force login attacks

Submitted by gwolf on Fri, 02/06/2015 - 12:51

I would expect brute-force login attacks to be more common. And yes, at some point I got tired of ssh scans, and added rate-limiting firewall rules, even switched the daemon to a nonstandard port... But I have very seldom received an IMAP brute-force attack. I have received countless phishing scams on my users, and I know some of them have bitten because the scammers then use their passwords on my servers to send tons of spam. Activity is clearly atypical.

Anyway, yesterday we got a brute-force attack on IMAP. A very childish atack, attempted from an IP in the largest ISP in Mexico, but using only usernames that would not belong in our culture (mosty English firstnames and some usual service account names).

What I find interesting to see is that each login was attempted a limited (and different) amount of times: Four account names were attempted only once, eight were attempted twice, and so on — following this pattern:

 1 •
 2 ••
 3 ••
 4 •••••
 5 •••••••
 6 ••••••
 7 •••••
 8 ••••••••
 9 •••••••••
10 ••••••••
11 ••••••••
12 ••••••••••
13 •••••••
14 ••••••••••
15 •••••••••
16 ••••••••••••
17 •••••••••••
18 ••••••••••••••
19 •••••••••••••••
20 ••••••••••••
21 ••••••••••••
22 ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

(each dot represents four attempts)

So... What's significant in all this? Very little, if anything at all. But for such a naïve login attack, it's interesting to see the number of attempted passwords per login varies so much. Yes, 273 (over ¼ of the total) did 22 requests, and another 200 were 18 and more. The rest... Fell quite shorter.

In case you want to play with the data, you can grab the list of attempts with the number of requests. I filtered out all other data, as i was basically meaningless. This file is the result of:

  1. $ grep LOGIN /var/log/syslog.1 |
  2. grep FAILED.*|
  3. awk '{print $7 " " $8}'|
  4. sort|uniq -c

logins.txt27.97 KB
Craig's picture

Password scanning

I wonder if they're trying to get email or just accounts using the idea that if a user uses a password for their mail account then it is the same for other more interesting things.

My IMAP account (on both my own server and ISP) use different passwords for that reason, if they somehow guess it, its only that component that is lost.

I was a bit confused, before your chart you said "four account names were attempted only once, eight attempted twice" so I assume thats the 1 with the one dot and the 2 with the 2 dots (each dot being four accounts) but below it you say "each dot represents four attempts", but isnt the number on the left the attempt count?

gwolf's picture

Password scanning

From my limited experience, they are trying to access our webmail application to use it for sending spammy mail.

As for my pseudochart: The number on the left is the amount of attempts, and the bar length is (¼ of) the number of accounts that were attempted this amount of times.

Timothy Henry's picture

It's a serious issue for the

It's a serious issue for the security. actually being safe for our data and the privacy is a must while working in as web environment.

Marcus's picture

issue of the day

I own several sites on WordPress management system. For me, hacking and spamming has become a real problem. And all from what I didn't thought about security. Now gather information. Thank you

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <br> <b> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <img> <h1> <h2> <h3> <tt> <pre> <strike> <table> <tr> <th> <td>
  • Lines and paragraphs break automatically.
  • Use <bib>citekey</bib> or [bib]citekey[/bib] to insert automatically numbered references.
  • Use [fn]...[/fn] (or <fn>...</fn>) to insert automatically numbered footnotes.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>. The supported tag styles are: <foo>, [foo].

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Keep in mind that all comments will also have to be administrator-moderated. Don't waste your time writing a spam that no one will read.
Enter the code without spaces and pay attention to upper/lower case.