Preventing SSH Brute-Force Attacks: Lessons from a Real-World Incident

Listen to this Post

A customer’s internet-facing system was compromised after attackers brute-forced an exposed SSH port (logged as sshd: Accepted password for postgres from 89.163.X.X port 22010 ssh2). This highlights critical gaps in perimeter security, including unmonitored open ports and weak passwords.

You Should Know:

1. Secure SSH Access

  • Disable Password Authentication: Use SSH keys instead.
    sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
    sudo systemctl restart sshd
    
  • Change Default Port: Reduce automated scan risks.
    sudo sed -i 's/#Port 22/Port 2222/g' /etc/ssh/sshd_config
    sudo systemctl restart sshd
    

2. Monitor Open Ports

  • Check Exposed Services:
    sudo netstat -tulnp | grep LISTEN
    sudo ss -tulnp
    
  • Shodan Monitoring: Use tools like Shodan to detect unintended exposures.

3. Block Brute-Force Attempts

  • Fail2Ban: Automatically ban malicious IPs.
    sudo apt install fail2ban
    sudo systemctl enable --now fail2ban
    
  • Manual IP Blocking:
    sudo iptables -A INPUT -s 89.163.X.X -j DROP
    

4. Enforce MFA for SSH

  • Google Authenticator Setup:
    sudo apt install libpam-google-authenticator
    google-authenticator
    

Edit `/etc/pam.d/sshd` and add:

auth required pam_google_authenticator.so

5. Log Auditing

  • Review SSH Logs:
    sudo grep "Failed password" /var/log/auth.log
    sudo journalctl -u sshd --since "1 hour ago"
    

What Undercode Say

Perimeter security requires proactive measures:

  • Regular port scans (nmap -p- <IP>).
  • Patch management (sudo apt update && sudo apt upgrade).
  • Network segmentation (iptables/nftables rules).
  • Strong passwords (pwgen 16 1).
  • Automated alerts (logwatch/Splunk).

Expected Output:

A hardened SSH setup with reduced attack surface, logged intrusion attempts, and active monitoring.

Relevant URLs:

References:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image