Annoying SSH brute force attack from zombies

The problem

If you have ever checked on your SSH access log, you will find a lot of login attempts like this:

On this server, I want to check how frequent the attempts are so I type in the shell:

I haven’t excluded my connections here because it was only a few. It shows that my server had 1545 SSH disconnects on 3rd of May, I received an SSH login attempt per minute on average.

There are a lot of tips to secure your SSH server out there already so I am not going to repeat them here. Theoretically speaking, the attacker will have no chance to access your system if your password is long enough. For a random 10 character alpha-numeric password, there’s only 1% chance to break in after 229 million years if the attacker try 10000 times per day. It is also a good idea to enforce RSA keys on a multi users system.

Still, it is annoying.

Although it’s impossible for attackers to break in a secured server, I’m annoyed. Most of these attacks come from zombie networks, and the real hacker is behind them hiding so you can’t really do anything about it. There’s almost no cost for each SSH attempt so they will do it 24/7.

zombies-620x412

Consider increasing the cost for failed attempt?

I was thinking of a way to increase the cost for SSH attempt after a fail attempt, which is controlled by a new SSH protocol. The server can generate a factorisation problem for the client, and then double the difficulty of the problem after each fail attempt. Would this kind of protocol drastically decrease the throughput of the brute force attack? Feel free to put your 2 cents in.

If you like my post, please give a little help to share it!
Share on Facebook0Tweet about this on TwitterShare on Google+0Share on Reddit0