Problem solve Get help with specific problems with your technologies, process and projects.

Brute-force SSH attack prevention depends on network monitoring basics

Expert Brad Casey discusses why effective brute-force SSH attack prevention means improving network monitoring instead of closing TCP port 22.

I've noticed an uptick in brute-force SSH attack attempts on non-standard ports on our network. What do you think could be behind this, and how should I can go about securing those ports?

When you see an uptick in any type of attack, this could be an indicator that attackers sense vulnerability in a certain area. In this particular instance, some pockets of the IT world utilize non-standard ports for SSH access with the idea that attackers can be fooled by TCP port 22 being closed. I’ve never considered obscurity to be a viable security measure, so if your organization is employing this SSH attack prevention strategy, I would suggest reassessing whether it is actually working. 

However, if you feel strongly about pressing ahead with this SSH attack prevention method, I would suggest configuring your firewall and/or intrusion detection system to trigger an alarm whenever an unusually large number of login attempts is detected. As this information changes from network to network, you will have to determine the threshold based on your specific network metrics. Also make sure you have a strict lockout policy when a certain number of failed login attempts is reached. 

When it comes to SSH attack prevention, always check your logs. If your organization is like most, it probably maintains some sort of scripting mechanism that parses through the logs looking for anomalies – for example fail2ban. However, nothing is quite as affective as human intuition. Pay particular attention to the non-standard ports you’ve authorized for SSH access, and use common sense when monitoring its activity.

This was last published in April 2013

Dig Deeper on Password management and policy