How an intruder attacks SSH

Cut It Out

If compromising an SSH server looks all too easy, you might be wondering what you can do to prevent this kind of attack. The following is a non-exhaustive list of tips for preventing attacks on SSH. It is worth underlining the fact that rarely do any of these individual security controls act as the panacea to fully secure your SSH servers. However, making use of several of these techniques in tandem will give you a fighting chance to stop attackers. Having said all of that, the first item of the list will make a massive difference to how long your SSH server lasts online without being compromised (even if you don't patch the OpenSSH package for a while).

  • Limit IP addresses – this is the first thing I do whenever I set up an SSH server. Building an allow list can be difficult without a permanent IP address, if your broadband router uses dynamic public IP addresses or your VPN shifts IP addresses frequently. If this is the case, I'd recommend looking for alternatives (I'll leave you to research them online). Be creative and use options like Port Knocking, which I wrote about in ADMIN [15]. If you do have a permanent IP address, think about using iptables or TCP Wrappers (which I also wrote about in ADMIN [16]) to lock down SSH server access. I cannot emphasize the benefits of doing so strongly enough. It really is important to limit access to a select few IP addresses. You might even consider only letting, say, 256 IP addresses from your broadband router's IP address pool connect.
  • Enforce SSH keys – you should use keys and not passwords. If you must use passwords, make them greater than 12 characters long and complex. As for SSH keys, don't leave them on devices that don't use them. Treat them like precious passwords. Finally, you can also configure Pluggable Authentication Modules (PAM), using one of the many online guides [17], to limit the number of failed logins and enforce password complexity. Be sure to test carefully to avoid causing access problems.
  • Monitor logins – If you run five or fewer servers and there aren't that many logins every day over SSH, you could employ this trick, which I have used on personal servers before to keep track of when users log in successfully. I add the command in Listing 6 to the foot of the /etc/profile file, and when Bash is spawned for a user login, an email is sent (note that it is encapsulated in brackets on purpose). See the article in Linux Magazine [18]. You will need an outgoing email server to be available; use something like Postfix with a basic configuration for outbound SMTP only.

Listing 6

Email Alert

(who -m |awk -v q="$(date +"%k:%M:%S %Z on %e %B")" \
  '{print "User " $1 " logged in at " q " from IP "$5 }' | \
  mail -s "Logged user on $(uname -n)" chris@binnie.tld &)
  • Harden the /etc/ssh/sshd_config file – there are a plethora of online guides to help you tweak the SSH server's configuration file [19]. Without fail, you should disable root user access and ideally add a group of permitted usernames, alter the standard port that the SSH server runs on (e.g., TCP port 2222) to prevent endless automated probes, lower the setting MaxAuthTries to reduce the maximum number of authentication attempts per connection to three from six, and disable X11Forwarding by changing yes to no. The list goes on and you should do more research online if you are unsure.
  • Remove the version banner – if you do not use an allow list for IP addresses, try to avoid advertising the version of your SSH server to the whole Internet. You might be surprised at how difficult that is to do in OpenSSH. To switch off the banner, it really does require a bit more effort [20].
  • Use Fail2ban [21] – I would be remiss not to mention Fail2ban; it really is one of the most sophisticated open source rate-limiting solutions out there. You may be surprised to read that I once wrote about it on the Linux Magazine website [22]. I cannot recommend it enough; just take care with your initial configuration to avoid locking yourself out. And, don't be daunted by the regular expression configuration style; you'll find lots of online examples to get you started.

Conclusion

It is perfectly possible to launch high-performance brute force attacks against SSH servers using lightweight tools. In this article, I wanted to demonstrate the effectiveness of lesser-known tools, and I think Shreder and sshbrute both passed with flying colors.

If you're wondering what other tools are available, two of the most popular options for this kind of attack are Hydra (also called THC Hydra) [23] and the inimitable Nmap, when used with its ssh-brute scripting engine script [24].

I hope this article has given you some useful insights into how attackers approach SSH servers. Although SSH servers tend to be better protected than other network services due to their critical nature, they are far from impenetrable. If you don't impose rate-limiting to limit brute force attacks, they are clearly vulnerable.

I also covered a number of mitigation techniques. At the risk of repeating myself, you can stop brute force attacks with rate-limiting in place, but ideally, you should use an allow list to define which specific IP addresses will have access.

Whether you are keen to keep your own servers compliant with security standards or you just want to practice some ethical hacking, the tools described in this article will keep you well prepared to hack and defend your SSH servers.

Infos

  1. OpenSSH: https://www.openssh.com
  2. masscan:https://github.com/robertdavidgraham/masscan
  3. TryHackMe: https://www.tryhackme.com
  4. ssh-audit on GitHub: https://github.com/jtesta/ssh-audit
  5. ssh-audit: https://www.ssh-audit.com/
  6. ssh-audit README: https://github.com/jtesta/ssh-audit/blob/master/README.md
  7. ScanSSH: https://github.com/ofalk/scanssh
  8. mec: https://github.com/jm33-m0/mec
  9. mec on GitHub: https://github.com/jm33-m0/mec/blob/master/screenshot/mec.svg
  10. SecLists: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
  11. Common passwords: https://github.com/DavidWittman/wpxmlrpcbrute/blob/master/wordlists/1000-most-common-passwords.txt
  12. Shreder: https://github.com/EntySec/Shreder
  13. EntySec: https://github.com/EntySec
  14. sshbrute: https://github.com/machine1337/sshbrute
  15. "Protect Your Network with Port Knocking" by Chris Binnie, ADMIN, issue 23, 2014: https://www.admin-magazine.com/Archive/2014/23/Port-Knocking
  16. "Secure Your Server with TCP Wrappers" by Chris Binnie, ADMIN, 2012: https://www.admin-magazine.com/Articles/Secure-Your-Server-with-TCP-Wrappers
  17. About PAM configuration files: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/pam_configuration_files
  18. "Enhance and Secure Your Bash Shells" by Chris Binnie, Linux Magazine, issue 167, October 2014: https://www.linux-magazine.com/Issues/2014/167/Bash-Tricks/(offset)/6
  19. SSH hardening guides: https://www.sshaudit.com/hardening_guides.html
  20. Hide OpenSSH version banner: http://kb.ictbanking.net/article.php?id=666
  21. Fail2ban: https://www.fail2ban.org
  22. "Intrusion Detection with Fail2ban" by Chris Binnie: https://www.linux-magazine.com/Online/Features/Intrusion-Detection-with-fail2ban
  23. Hydra: https://github.com/vanhauser-thc/thc-hydra
  24. ssh-brute: https://nmap.org/nsedoc/scripts/ssh-brute.html

The Author

Chris Binnie is a Cloud Native Security consultant and co-author of the book Cloud Native Security: https://www.amazon.com/Cloud-Native-Security-Chris-Binnie/dp/1119782236.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column

    Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

  • Fail2ban

    Fail2ban is a quick to deploy, easy to set up, and free to use intrusion prevention service that protects your systems from brute force and dictionary attacks.

  • Secure Online Passwords

    Securely storing passwords online can be a complex task. With a few tools, websites can offer better security, but users still need to choose their passwords wisely.

  • Hardening Linux for Production Use

    To protect your production server from attacks, employ these common security tools to help safeguard your system.

  • Charly’s Column: w3af

    After toiling away to create a small but exclusive website, Charly wanted to run a security scanner against it to check for vulnerabilities. The choice of tools is enormous, but Charly chose w3af.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News