Researchers at Rapid7 have looked at the security of admin passwords used to protect the two main protocols for remotely accessing corporate networks – and the results aren't great.
The two protocols – Remote Desktop Protocol (RDP) and Secure Shell (SSH) – are widely used for managing virtual machines in the cloud. With the growing popularity of both cloud deployments and remote work, the researchers said it's important to know how opportunistic attackers are targeting these systems.
The three most popular usernames for SSH are "root", "admin", and "nproc", according to its Password Research Report. Other popular passwords for SSH and RDP are "admin", "password", and "123456".
To conduct its study, Rapid7 looked at credentials used by online attackers to compromise its network of RDP and SSH honeypots in the year to September 9, 2022.
These honeypots are part of the company's Project Heisenberg, which allows bot and human attackers to make connections to its network. Over that time, it observed tens of millions of connection attempts to its honeypots and half a million unique passwords.
The firm then compared its honeypot dataset with the 'rockyou' password list of eight billion usernames and passwords used by pen-testers and attackers. Those lists are useful for password-spraying attacks, where the attacker uses the list against many accounts where the username is known, as well as other brute-force attacks. Rapid7 found that passwords used to access its honeypots almost perfectly matched the rockyou set.
"Notably, we found that of the nearly 500,000 unique passwords observed in our honeypots, this "rockyou set" contained practically all of them (99.997%). We conclude from this observation that online credential attackers are not generating truly random passwords, but are instead working entirely off of lists of guessable passwords."
The honeypot data also shows that passwords used by attackers are by and large the most popular ones, such as "admin", "password", and "123456".
Rapid7 believes attackers are opportunistically trying a small handful of usernames and passwords, and then moving on. It also frequently sees a single IP address trying a single username and password, such as "root:root" or "admin:admin", suggesting it's an automated process and possibly a botnet.
Rapid7 found the distribution of both usernames and passwords is "approximately exponential", meaning that passwords that are observed more frequently are seen exponentially more than less common passwords.
The most common usernames tried by attackers for RDP are "Administrator" and "administrator". This is likely due to RDP typically running on Windows and that the default admin account is called "administrator".
For SSH, the two standout usernames are "root" and admin", which attackers choose because most Linux distributions ship with a user named "root" while "admin" is a common default username in routers and IoT devices. Hence, why IoT malware like Mirai tries to authenticate using the device's default credentials. That's also the reason why the NSA recommends admins change default credentials on network devices.
Rapid7's SSH honeypots picked up 497,848 passwords. By far the two most common attempts were "123456" and "password".
When Rapid7 removed the rockyou data set from the list of passwords seen in its honeypots, only 14 of the total remained.
Rapid7's main advice is to change default credentials and disable local administrator and guest accounts when possible. This won't stop targeted attacks but will address opportunistic ones. Also, use a password manager.
To protect RDP and SSH, organizations should use a corporate VPN and restrict remote connections to only work though VPN-authenticated hosts. Also, to prevent most brute-force attacks, it could be worth changing the ports, although the firm notes this activity falls under "security through obscurity".
"For RDP, the best protection is to restrict access via firewalls and network security groups so that instances with RDP exposed can be accessed only from trusted IP addresses. Using a jump host or a bastion host for cloud deployments is also a good practice in lieu of exposing RDP directly to the internet," it notes.
When securing SSH, the most important security measure you can take is to disable password-based authentication in favor of certificate-based authentication. It's also strongly advised to limit the users who have SSH enabled by modifying your sshd_config file, Rapid7 said. It's also "generally" a good idea to disable SSH for all root accounts, as well as changing the maximum number of login attempts.