Someone is trying to bruteforce my password with SSH

[carlsson]

I have a machine that I can access via SSH. Recently I've noticed that someone (chinese network) is trying to bruteforce their way in. I get 2 tries per second approximately.

I turned on the Firewall, but that doesn't seem to help – The SSH service is still on. So I have turned off SSH in the meantime.

I have a strong password but it's still annoying. What can I do to stop these behaviors?

 

[roadbloc]

Disconnect from the internet and your network.

 

[Wirbowsky]

Some ideas:
- as a first step configure SSH to refuse connection from that IP
- configure SSH to refuse password as authentication mechanism. Use keys instead
- configure SSH to accept connection from specific IP only

 

[chrfr]

I have a machine that I can access via SSH. Recently I've noticed that someone (chinese network) is trying to bruteforce their way in. I get 2 tries per second approximately.

I turned on the Firewall, but that doesn't seem to help – The SSH service is still on. So I have turned off SSH in the meantime.

I have a strong password but it's still annoying. What can I do to stop these behaviors?

There's nothing you can do to stop it except keep firewalling network blocks.

 

[leman]

Yeah, its a common thing. I also have it with our server, multiple computers from eastern Europe and Asia trying to get in. OS X supposedly has an adaptive firewall, but I never managed to make it work. Right now, I just review it every second week or so and blacklist the IPs.

 

[HenryAZ]

Some ideas:
- as a first step configure SSH to refuse connection from that IP
- configure SSH to refuse password as authentication mechanism. Use keys instead
- configure SSH to accept connection from specific IP only

Also, limit the number of failed connection attempts.

 

[bradl]

An easier solution: Change the port that your SSH daemon is running on.

You should be able to find that in /etc/ssh/sshd_config. Something along the lines of changing:

#Port 22

to something like:

Port 40022

or something high up that is not the default port (the default port is 22), and restarting your ssh daemon will take care of it.

Actually, much easier:

Edit /etc/ssh/sshd_config with either TextEdit, or with vi in a terminal session.

In a terminal session, run a ps -ef | grep ssh to find the PID for the ssh daemon.

Once you have that PID, you run kill -HUP <pid> (where <pid> is the number of the PID (process ID) ).

That should return your prompt back to you in the terminal session.

NOTE: the above assumes you know your way around a unix shell, including how to use sudo or su to the root user.

Using the example above, test it out by running ssh -p 40022 <server>

And you should be good. The assumption by those doing the brute force is that you are running everything on a default port. If you aren't, they would then have to guess which port you are running SSH on. And seeing that you have at least a good 48,000 ports to use, they'll have a much harder time finding the port you have SSH on.


BL.

 

[carlsson]

Thanks guys!

 

[HenryAZ]

An easier solution: Change the port that your SSH daemon is running on.


And you should be good. The assumption by those doing the brute force is that you are running everything on a default port. If you aren't, they would then have to guess which port you are running SSH on. And seeing that you have at least a good 48,000 ports to use, they'll have a much harder time finding the port you have SSH on.

It's actually quite easy to find SSH (or any other service) on a non-default port. Scan the IP address for open ports, then telnet to the open port to see what answers.

The best answer (above) is to use keys for logins, rather than passwords.

 

[bradl]

It's actually quite easy to find SSH (or any other service) on a non-default port. Scan the IP address for open ports, then telnet to the open port to see what answers.

The best answer (above) is to use keys for logins, rather than passwords.

True; however, if someone is going to scan that IP address for any open ports, they are already on your network, which is an issue in itself, as you are already compromised.

BL.

 

[2984839]

It's actually quite easy to find SSH (or any other service) on a non-default port. Scan the IP address for open ports, then telnet to the open port to see what answers.

The best answer (above) is to use keys for logins, rather than passwords.

Yes, but it stops the majority of automated attackers. I also found that switching to ed25519 keys stops a lot of them too, as they are built on older versions of OpenSSH that don't support those keys. They will still make the attempt, but can't actually enter a password because the key authentication fails. Obviously, this is not a permanent solution, but still useful.

 

[barbu]

I recently tackled this problem as well. While changing the default port may keep casual scanners away, i found the steps outlined here and here to be completely effective while allowing me to run my services on standard ports. Give it a try. I went from constant ssh login failures every second down to one or two per day.

 

[throAU]

I have a machine that I can access via SSH. Recently I've noticed that someone (chinese network) is trying to bruteforce their way in. I get 2 tries per second approximately.

I turned on the Firewall, but that doesn't seem to help – The SSH service is still on. So I have turned off SSH in the meantime.

I have a strong password but it's still annoying. What can I do to stop these behaviors?

Best thing to do is set up public key authentication.

Read up on ssh-keygen.

They're FAR less likely to brute-force a 2048 bit key than your password.