OpenBSD Journal

Worried about SSH bruteforcing attacks?

Contributed by mk/reverse on from the no-bruteforcing-pick-one dept.

Yes 24.7% (241 votes)

No 75.3% (735 votes)

Total votes: 976

(Comments are closed)

  1. By Honolulu Dark Grey Fox ( on

    8 character alphanumeric password -> 36^8 combinations.

    1 second per password try -> 18^8(*) seconds average for breaking in.

    (*) Stands for 350 years, aprox.

    1. By SH ( on

      The worry is some users weak password. This particular worry disappear when only allowing SSH login using certificates.

    2. By Roy ( on

      But if you expand the character set to upper and lower case letters, the number of combinations expands to 62^8. The expected number of attempts to randomly guess such a password becomes (62^8)/2 or about 3.4 million years.

      1. By Matt Van Mater ( on

        Yeah except password cracking programs run much faster than 1 password a second. (If someone was able to get their hands on your password file, john the ripper runs in the tens to hundreds of thousands of tries per second). Regardless, I still don't consider it to be a huge cause for concern.

        1. By Matt ( on

          ...and before people flame me, I know john isn't a ssh brute forcing tool. I think a Bad Guy's time would be more productive trying to get the password file and try cracking that (which is why I mentioned john). As others have stated, bruteforcing passwords over ssh would take a rediculously long amount of time and would only work for the really low hanging fruit.

    3. By Charles Hill ( on

      From the man pages of sshd_config:

      Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10.

      My issue last week (when this happened to me) wasn't worrying about brute forcing of passwords, it was about not being able to get in to my system because all of the possible connections were tied up. DOSed by some script kiddie in Germany, according to my logs.

      Protection against brute force password cracking is easy. Just don't allow root logins to ssh and don't allow passwords -- certificates only.
      DOS, on the other hand, can be a pain.


  2. By Sean Brown ( on

    I don't allow external ssh connections, pf blocks it all so its not really a problem here. I would probably throw a key on a usb stick instead of using passwords if I ever felt the need to be able to ssh home.

    1. By Han ( on

      I only allow connections from a few trusted hosts as well. But as an alternative to a usb-key I'd like to suggest One Time Passwords . And something as intrusive as a piece of paper will do all of the sudden. :-)

  3. By Anonymous Coward ( on

    why not use other port? (eg: 2222)

    1. By Michael Knudsen ( on

      I've done this, but not because I'm worried about these attacks (PasswordAuthentication no). I did it because some public networks only allow users to surf the web, so typically only 80 and 443 are allowed through. I run a web server at home but I don't use SSL, thus sshd also listens on 443.

      I know I'm probably violating the AUP of said public networks.

      1. By Anonymous Coward ( on

        Ah! but it wouldn't take long to port scan that port would it or to telnet to it and see the SSH banner! - Security through obscurity doesn't work indefinitely - someone will find you.


      2. By Han ( on

        Putty supports http-proxies nowadays. :-)

        1. By Michael Knudsen ( on

          With -current netcat you can tunnel stuff through SOCKS4/-5 and HTTP too. I use gotthard for ssh, though.

  4. By Anonymous Coward ( on

    Not really realistic in your comfort zone are you guys. Just how many SSH connection can you make by a simple handcrafted script? - count those up, and then redo your maths!

    Remember permutations and combination math (figure it out via are slightly different to the total number of available characters (upper/lower etc, not forgetting numerics and other ascii chars).

    For example your 4 digit ATM pin has 4^10 numbers, but only 210 combinations where the order matters (your PIN), yet you only get 3 attempts before your locked out.

    Anyway - this a load of conjecture, and it all depends on the admin/policy and misc variables as ever.


    1. By Anonymous Coward ( on

      Oh man... You get my vote as the first nominee for the "2005 Non-sense Post Award"

      1. By Mike Carr ( on


        A 4 digit ATM PIN, assuming that you're using the digits from 0 to 9, has 10^4 possibilities, not 4^10. Actually, 4^10 > 10^4, so you were overstating the difficulty of it.

        Additionally, order *does* matter. A PIN of 1234 is not the same as a PIN of 4321.

        In addition to that, I'm totally lost as to where 210 combinations came from... But I'll leave it as that

  5. By Anonymous Coward ( on

    That does it, I'm going back to telnet!

  6. By Anonymous Coward ( on

    My policy does not allow the usernames "jane", "patrick" and "matt". I should be secure now.

    1. By I am not going to give you a valid username ( on

      Yes what is it with those names?
      And with dog, blue, larisa, shell, barbara, god, rose for that matter.
      Is it some kind of joke? I don't know people with names like that.

      Mmm I just start to wonder will adding this to pf.conf do anything?
      rdr on $ext_if proto tcp from $badip to any port ssh -> $badip port ssh
      Probeble not a great idea

      1. By Anonymous Coward ( on

        After giving it some thought I could not think of any reason why it should not work. And it did work. Perhaps it's time my isp starts filtering outgoning trafic.

  7. By Anonymous Coward ( on

    so much for a poll about polls -- they still suck

    1. By Anonymous Coward ( on

      there were very good proposals but none was chosen how evil

  8. By Anonymous Coward ( on

    I don't run SSH, you insensitive clod!

    1. By Anonymous Coward ( on

      If you do not use OpenSSH or you are unable to configure it (and use it with enabled password authentication etc...), then this is your own problem...

      No, I fear not. I had a look at the source code: you should fear more that your kernel has security holes, and most that your system configuration opens security holes, really.

  9. By Merlin ( on

    I am not worried because I have disable password authentication, disabled root access, no unix password on most of my accounts and my keys are safe.

    But I am worried that I am still getting attacks and I can only assume noone actually got in and wiped his traces. I'd love to have some kind of limitation like limit inbound ssh connections per IP address to 3/minute. That would not impact me at all and keep brute force crackers away.

    Changeing the port is not really solving the problem. It's like changeing the name of the Moveable Type comment script.

    1. By Anonymous Coward ( on

      you can do that. limit the connections to a port, with the pf in current or with the next release.

  10. By dkaplowitz ( on

    My authlog was loaded with these lame attempts to log in using user names that don't exist on my system, or "root", which I, like any sane individual, have disabled from logging into ssh. Then, when I got fed up with parsing the logs for IPs to add to my block table, I just changed my pf rules to listen for ssh on a higher port number, so whenever I connect remotely I have to use the port. My authlog has completely cleared up since then...not one attempt. Is it the most secure set up imagineable? No. But it sure has worked to alleviate some of the annoying chatter in /var/log.

  11. By sbr ( on

    so far i havn't had any problem with doing this, i bet there is a security issue somewhere, but im still alive and kicking. i just leave root open with password root. this way the ssh scanners start, and probably the 1-5th account/password combination they try is root:root . so they get a succesful login and stop. give it a whirl ssh (password root) then check out sbr. ps. if anyone breaks this be nice enough to let me know :)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]