Silent870
Posts: 2
Joined: Fri Nov 29, 2019 11:38 am

SSH brute force attacks?

Fri Nov 29, 2019 11:47 am

Hi, I recently got a Raspberry Pi 4 and I remember reading something about SSH brute force attacks on the forums. I don't really know much about network terms and I was wondering if this is something I should be concerned about or if this is something that would just be blocked by my router's firewall. Thanks for any clarification.

pcmanbob
Posts: 8350
Joined: Fri May 31, 2013 9:28 pm
Location: Mansfield UK

Re: SSH brute force attacks?

Fri Nov 29, 2019 12:48 pm

Hi.

As long as you don't have a port forwards set on your router that allows access to port 22 on your pi from the internet you will be fine,
as no one can access you pi from the internet due to the firewall/nat in your router.

of course if you don't trust the users on your local network who will be able to reach port 22 on your pi , then that is a problem.
We want information… information… information........................no information no help
The use of crystal balls & mind reading are not supported

dickon
Posts: 859
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: SSH brute force attacks?

Fri Nov 29, 2019 1:28 pm

If in doubt, there's a very handy package called fail2ban which will lock IP addresses out of ssh -- using an iptables firewall -- after too many incorrect login attempts. I highly recommend it, and run it on a lot of my machines.

User avatar
DougieLawson
Posts: 37726
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SSH brute force attacks?

Fri Nov 29, 2019 1:30 pm

Brute forcing SSH usually works when folks have a weak password (and humans are very bad at picking secure passwords).

If you prevent the use of passwords in favour of only allowing public/private key pairs (default in /etc/ssh/sshd_config). If you install an IDS like Fail2Ban then it's safe to open port 22 to the public internet.

You should also read https://www.raspberrypi.org/documentati ... ecurity.md and follow the advice published there.

Fail2ban on my system has blocked 159 potential attackers since 17th November 2019. That machine has been open to the public internet since 2014 (when it replaced my old Viglen server).
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH brute force attacks?

Fri Nov 29, 2019 1:34 pm

Or another option like fail2ban is to use sshguard which, despite the name, can cover a lot more than SSH.

Then again, you don't need either (except to quiet the logs) if you've set up SSH key-based or SSH certificate-based authentication and disabled remote password authentication.

Silent870
Posts: 2
Joined: Fri Nov 29, 2019 11:38 am

Re: SSH brute force attacks?

Fri Nov 29, 2019 10:55 pm

So, it won't be an issue if I keep port 22 closed? And since I got a couple suggestions for fail2ban, I'll probably look into setting that up too. Thanks for the help everyone.

dustnbone
Posts: 201
Joined: Tue Nov 05, 2019 2:49 am

Re: SSH brute force attacks?

Fri Nov 29, 2019 11:56 pm

Yeah as long as there's no port forwarded by your router to port 22 on your Pi no one can even attempt to login from outside your internal network, making any attempt at brute forcing impossible.

If you do decide to open SSH to the internet for any reason, make absolutely sure you understand how to configure it securely.

SSH is very powerful, especially if the server is configured to allow some of it's more powerful features like tunneling. A little hole in SSH can be made into a really big hole if someone gets in.

It's the amazing things you can do with SSH that make it so potentially dangerous if you're not careful about securing it.

My only way into my internal network from outside is through SSH login to an Ubuntu server. From there I can literally connect myself to anything through any port as if my laptop or whatever remote system I'm using were connected to the internal network. I can login to my internet router and forward ports, get IPs for my local devices, etc.

In short I can hack the crap out of myself.

K9spud
Posts: 14
Joined: Fri Nov 22, 2019 5:38 am

Re: SSH brute force attacks?

Sat Nov 30, 2019 2:49 am

Why risk giving them even a few attempts before banning them?

One thing I like doing is changing the port number that sshd runs on to something completely non-standard. Once you've done that, you can immediately ban anything attempting to access port 22, even on the very first try, as they've clearly identified themselves as an attacker if they're trying to access the wrong (default) port number.

dustnbone
Posts: 201
Joined: Tue Nov 05, 2019 2:49 am

Re: SSH brute force attacks?

Sat Nov 30, 2019 2:54 am

Or it's you that forgot to change the default port number in an SSH client.

All security has trade offs.

User avatar
DougieLawson
Posts: 37726
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SSH brute force attacks?

Sat Nov 30, 2019 7:30 am

K9spud wrote:
Sat Nov 30, 2019 2:49 am
Why risk giving them even a few attempts before banning them?
My F2B set-up bans on one attempt and has a ban expiry time of -1 (never). If you violate tcp port 22, 80, 443 or udp 1194 your IP address is banned forever* on all ports.



*forever being until I take F2B down and delete the database then restart it.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

dustnbone
Posts: 201
Joined: Tue Nov 05, 2019 2:49 am

Re: SSH brute force attacks?

Sun Dec 01, 2019 12:08 am

I don't use fail2ban or anything like that, but I do have a proper password that isn't getting brute forced any time this century, and the public facing port is not 22 or any simple variation on it.

If I found myself getting an annoying number of attempts I might disable password login altogether and use keys instead, but I've never even had someone find the right public port in order to make a single attempt on it.

I don't trust myself enough for instabanning IPs like that. I'd feel really silly sitting in my hotel room a thousand miles from home having banned the entire hotels network from my server because I forgot to change a port number before I attempted a connection.

This scenario seems far more likely to me than one where my clever autoban system saves the day. It's not that hard for a hacker to get another IP to make more attempts from, but it might be impossible for me to get one without changing hotels, etc.

User avatar
DougieLawson
Posts: 37726
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SSH brute force attacks?

Sun Dec 01, 2019 8:36 am

It is gross negligence to have passwords on the public internet. You really need to remove that attack vector.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

User avatar
rpdom
Posts: 16383
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: SSH brute force attacks?

Sun Dec 01, 2019 8:50 am

DougieLawson wrote:
Sun Dec 01, 2019 8:36 am
It is gross negligence to have passwords on the public internet. You really need to remove that attack vector.
Indeed.

I used to have One Time passwords set for emergency access if I had to remote in from a system that didn't have the right keys on. It was a set of random single-use passwords that had to be used in combination with a keyword. I kept a list of the passwords on me, but not the keyword. When I tried to login I would get a password prompt like "Password(032): " and have to enter the keyword followed by password number 32 from my list. After that password 32 was deleted from the system so even if someone did key log me they wouldn't be able to get in using that password.

tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH brute force attacks?

Sun Dec 01, 2019 9:56 am

rpdom wrote:
Sun Dec 01, 2019 8:50 am
I used to have One Time passwords set for emergency access if I had to remote in from a system that didn't have the right keys on. It was a set of random single-use passwords that had to be used in combination with a keyword.
If you're into testing things, an upcoming release of OpenSSH will begin have 2FA baked in.

echmain
Posts: 291
Joined: Fri Mar 04, 2016 8:26 pm

Re: SSH brute force attacks?

Sun Dec 01, 2019 2:52 pm

I hope this doesn't hijack this thread....

But is there a (relatively easy) way to set up 2 factor authentication for ssh on a Pi?

I use a few iPhone apps (RSA Token and Norton VIP Access) for some other authentication requirements. These display a 6 digit number that changes every minute. You have to enter your password AND this number to sign on to the application/website.

It would be cool if I could make the Pi work with those.

User avatar
DougieLawson
Posts: 37726
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SSH brute force attacks?

Sun Dec 01, 2019 2:56 pm

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

epoch1970
Posts: 4492
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: SSH brute force attacks?

Sun Dec 01, 2019 3:48 pm

With google authenticator:
https://www.digitalocean.com/community/ ... untu-16-04

NOTE: Pi does not always have the best notion of time, so
- you could want to make tokens valid for longer
- you certainly want to keep a few rescue (non-time based) codes with you.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Return to “General discussion”