Someone is trying to bruteforce my password with SSH

Discussion in 'macOS' started by carlsson, Mar 27, 2015.

  1. carlsson macrumors regular

    carlsson

    Joined:
    Jul 18, 2001
    #1
    I have a machine that I can access via SSH. Recently I've noticed that someone (chinese network) is trying to bruteforce their way in. I get 2 tries per second approximately.

    I turned on the Firewall, but that doesn't seem to help – The SSH service is still on. So I have turned off SSH in the meantime.

    I have a strong password but it's still annoying. What can I do to stop these behaviors?
     
  2. roadbloc macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #2
    Disconnect from the internet and your network.
     
  3. Wirbowsky macrumors member

    Joined:
    Mar 12, 2010
    Location:
    Belgium
    #3
    Some ideas:
    - as a first step configure SSH to refuse connection from that IP
    - configure SSH to refuse password as authentication mechanism. Use keys instead
    - configure SSH to accept connection from specific IP only
     
  4. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #4
    There's nothing you can do to stop it except keep firewalling network blocks.
     
  5. leman macrumors 604

    Joined:
    Oct 14, 2008
    #5
    Yeah, its a common thing. I also have it with our server, multiple computers from eastern Europe and Asia trying to get in. OS X supposedly has an adaptive firewall, but I never managed to make it work. Right now, I just review it every second week or so and blacklist the IPs.
     
  6. HenryAZ macrumors 6502

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #6
    Also, limit the number of failed connection attempts.
     
  7. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #7
    An easier solution: Change the port that your SSH daemon is running on.

    You should be able to find that in /etc/ssh/sshd_config. Something along the lines of changing:

    Code:
    #Port 22
    to something like:

    Code:
    Port 40022
    or something high up that is not the default port (the default port is 22), and restarting your ssh daemon will take care of it.

    Actually, much easier:

    Edit /etc/ssh/sshd_config with either TextEdit, or with vi in a terminal session.

    In a terminal session, run a ps -ef | grep ssh to find the PID for the ssh daemon.

    Once you have that PID, you run kill -HUP <pid> (where <pid> is the number of the PID (process ID) ).

    That should return your prompt back to you in the terminal session.

    NOTE: the above assumes you know your way around a unix shell, including how to use sudo or su to the root user.

    Using the example above, test it out by running ssh -p 40022 <server>

    And you should be good. The assumption by those doing the brute force is that you are running everything on a default port. If you aren't, they would then have to guess which port you are running SSH on. And seeing that you have at least a good 48,000 ports to use, they'll have a much harder time finding the port you have SSH on.


    BL.
     
  8. carlsson thread starter macrumors regular

    carlsson

    Joined:
    Jul 18, 2001
  9. HenryAZ macrumors 6502

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #9
    It's actually quite easy to find SSH (or any other service) on a non-default port. Scan the IP address for open ports, then telnet to the open port to see what answers.

    The best answer (above) is to use keys for logins, rather than passwords.
     
  10. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #10
    True; however, if someone is going to scan that IP address for any open ports, they are already on your network, which is an issue in itself, as you are already compromised.

    BL.
     
  11. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #11
    Yes, but it stops the majority of automated attackers. I also found that switching to ed25519 keys stops a lot of them too, as they are built on older versions of OpenSSH that don't support those keys. They will still make the attempt, but can't actually enter a password because the key authentication fails. Obviously, this is not a permanent solution, but still useful.
     
  12. barbu macrumors regular

    barbu

    Joined:
    Jul 8, 2013
    Location:
    ott.on.ca
    #12
    I recently tackled this problem as well. While changing the default port may keep casual scanners away, i found the steps outlined here and here to be completely effective while allowing me to run my services on standard ports. Give it a try. I went from constant ssh login failures every second down to one or two per day.
     
  13. throAU macrumors 601

    throAU

    Joined:
    Feb 13, 2012
    Location:
    Perth, Western Australia
    #13

    Best thing to do is set up public key authentication.

    Read up on ssh-keygen.

    They're FAR less likely to brute-force a 2048 bit key than your password.
     

Share This Page