Mitigating SSH Brute Force Attacks

If you manage a system connected to the Internet that allows inbound SSH traffic, and you check your system logs periodically, no doubt you have noticed the failed login attempts from rogue systems trying to brute force your machine. These brute force attempts are typically generated by systems that have been compromised themselves (bots) and are attempting to infect more systems to add to the botnet. They generally are not very tactful, generating lots of logs and setting off any IDS that may be monitoring the network. Below is an example of the logs generated by such brute force attempts on a RHL compatible system:

Dec 8 13:28:51 websrv1 sshd[14407]: Failed password for invalid user test from port 55732 ssh2
Dec 8 13:28:54 websrv1 sshd[14409]: Failed password for invalid user anda from port 56250 ssh2
Dec 8 13:28:58 websrv1 sshd[14411]: Failed password for invalid user jb from 20 port 56723 ssh2
Dec 8 13:29:02 websrv1 sshd[14413]: Failed password for invalid user cvsuser fr
om port 57255 ssh2
Dec 8 13:29:05 websrv1 sshd[14415]: Failed password for invalid user cvsuser1 f
rom port 57761 ssh2
Dec 8 13:29:09 websrv1 sshd[14417]: Failed password for invalid user mana from port 58263 ssh2
Dec 8 13:29:13 websrv1 sshd[14420]: Failed password for invalid user mysql from port 58810 ssh2
Dec 8 13:29:17 websrv1 sshd[14422]: Failed password for invalid user mysql from port 59342 ssh2

Here you can see that the host tried to login as the user mysql, mana, cvsuser1, cvsuser, jb, anda, and test all in the space of about 26 seconds. And this was just one snippet of logs from Dec 8. This happens everyday, many times per day, and from many different attacking systems. Large networks frequently have intrusion detection/prevention systems to help block these types of attacks. But what should administrators of small networks, with few resources do to combat these brute force attempts?

First, you have to check your logs. Manual scanning of logs is fine, but there are tools that can make this task much easier. One example of such a tool is Logwatch which comes as part of many Linux distributions. It will analyze your logs and send you reports of system activity which will help you spot these types of events. Second, keep the number of accounts that are allowed to login to the system via SSH to a minimum. Always use the “AllowUsers” option to specify which accounts are allowed access remotely and absolutely, do not allow root to login via SSH. This is the first account bruters attempt to crack when trying to exploit your system. Finally, take advantage of iptables to block access to those systems that are attempting to access your system illegally. You can either do this manually or write a script to block them automatically based on log entries. There are also a number of blacklists available on the Internet that provide a good starting point of hosts/networks to block even if they have not tried to brute force your machine (yet).

Newer attack techniques attempt to be more subtle in the hopes that the attackers will not be noticed by IDPS systems. However, they are still easy to spot with human analysis and the techniques mentioned above. Stay alert and keep your systems secure. We are all in this together.

Comments are closed.