Why have there been so many SSH brute-force attacks lately, and what is the best way to defend against them?
Brute force attacks on the Secure Shell (SSH) service have been used to compromise accounts and passwords. With this approach, an automated program often tests combinations, one at a time, of possible usernames and passphrases.
But what if an attacker doesn't care about getting access to a specific system? After all, trying 10,000 passwords against a server would most likely cause a target account to be locked out.
Instead, a malicious hacker could attempt password attacks on a large scale, using the same username and password combination on 10,000 systems. That would result in only one failed log-in attempt per server, but a much better chance of successfully compromising at least one.
Lately, attackers have been using the "low and slow" tactic, employing botnets against large numbers of servers. The technique gives them the ability to launch large-scale attacks from multiple sources.
Defending against these SSH brute-force attacks means going back to the basics of solid security practices. To start, utilize passwords and passphrases that will not be easily guessed. Doing standard "Leetspeak" -- an Internet language that substitutes letters with ASCII characters -- will not work. Attackers now use custom dictionaries that incorporate the common Leet substitutions used by sysadmins, like "@" for "a" and "3" for "e."
Also, make the root password inaccessible via a direct SSH connection by setting 'DenyUsers root' and 'PermitRootLogin no' in your sshd_config file. The majority of password attacks I've seen lately have been against the root account on systems.
Dig deeper on Password Management and Policy
Related Q&A from John Strand, featured expert
Expert John Strand reviews how to spot input validation flaws on your websites.continue reading
Expert John Strand reveals an interesting way of addressing man-in-the-middle attacks.continue reading
In this expert response, John Strand explains what to do when your personal identity is impersonated online.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.