How effective is brute forcing against SSH if someone is aware of your username? What security features are built in, and what should I do to increase security?
Observing members:
0
Composing members:
0
5 Answers
Very effective. My Mac OS X Servers have been cracked a couple times because of this. I’ve since closed port 22 to all traffic from outside our LAN. Legit users who need to access the server either have to be on the local network or tunnel in through a VPN. How you would do this would depend on your platform, network setup, and user needs.
You can look at your secure.log and easily see if you are under attack. My logs from a week or so prior to the successful crack read like a dictionary of names and password combos.
Make sure your root account is disabled, and use something other than admin as your user name. If you can, enforce secure password creation – like a min of 8 characters including at least 1 digit and 1 letter.
Is there any software available to alert me to failed logins, or to enforce delays or bar access on an IP basis after failed logins?
@richardhenry: You’ll see failed accesses in either ssh.log or access.log or syslog (I forget). And yes, you can enforce delays, or lockout after a few attempt (IIRC).
For Linux servers, I like fail2ban because it’s easy and I get a little lost in iptables sometimes! (but that’d do it too)
It depends on a variety of things.
– Password Strength. If your password is 32 characters with all sizes and shapes of letters, numbers, and symbols, then nobody’s gong to guess it anytime soon. If you can remember it. Usually, people recommend the 8–12 character range, no dictionary words, upper/lowercase, numbers and symbols.
– Timeouts. If someone’s guessing at your password, and your server forces them to wait even five minutes after three failed attempts, then they can only guess three passwords every five minutes. That’s down from sixty or more (probably more) if you let them just keep hammering on your server.
-Hashes. If they have your password hash (the encrypted copy of the password), then they don’t need to try to log in. The password may already be cracked online, as well. If they have a hash (meaning they’ve already had some access), then it makes their job drastically easier.
-Password Rotation. Even a strong password could be guessed after a couple months or so, even if they can’t just hammer against it without running into timeouts. So what if your password changes monthly? Then they’re out of luck when they can’t run a brute force against the server for six months and get a password that still works.
-A little bit of luck. Sometimes, they’ll have to guess a couple hundred million passwords before they get to yours. Other times, they might guess yours after a few hundred. It just depends on how their software is set up.
Hopefully this has been at least sort of enlightening… keep this in mind when you’re setting things up, and your SSH server should be more secure for it.
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.