If you have ever checked on your SSH access log, you will find a lot of login attempts like this:
May 5 02:17:24 Ubuntu sshd: Address 188.8.131.52 maps to ip223.hichina.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
May 5 02:17:24 Ubuntu sshd: Invalid user matthias from 184.108.40.206
May 5 02:17:24 Ubuntu sshd: input_userauth_request: invalid user matthias [preauth]
May 5 02:17:24 Ubuntu sshd: pam_unix(sshd:auth): check pass; user unknown
May 5 02:17:24 Ubuntu sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.127.116.11
May 5 02:17:26 Ubuntu sshd: Failed password for invalid user matthias from 18.104.22.168 port 35231 ssh2
May 5 02:17:27 Ubuntu sshd: Received disconnect from 22.214.171.124: 11: Bye Bye [preauth]
On this server, I want to check how frequent the attempts are so I type in the shell:
> sudo cat /var/log/auth.log | grep "Bye Bye" | grep "May 3" | wc
1545 20085 188066
I haven’t excluded my connections here because it was only a few. It shows that my server had 1545 SSH disconnects on 3rd of May, I received an SSH login attempt per minute on average.
There are a lot of tips to secure your SSH server out there already so I am not going to repeat them here. Theoretically speaking, the attacker will have no chance to access your system if your password is long enough. For a random 10 character alpha-numeric password, there’s only 1% chance to break in after 229 million years if the attacker try 10000 times per day. It is also a good idea to enforce RSA keys on a multi users system.
Still, it is annoying.
Although it’s impossible for attackers to break in a secured server, I’m annoyed. Most of these attacks come from zombie networks, and the real hacker is behind them hiding so you can’t really do anything about it. There’s almost no cost for each SSH attempt so they will do it 24/7.
Consider increasing the cost for failed attempt?
I was thinking of a way to increase the cost for SSH attempt after a fail attempt, which is controlled by a new SSH protocol. The server can generate a factorisation problem for the client, and then double the difficulty of the problem after each fail attempt. Would this kind of protocol drastically decrease the throughput of the brute force attack? Feel free to put your 2 cents in.