Is this what a brute force SSH attack looks like?

Is this a bruteforce attack

This looks like the background scanning that any server on the internet will experience.

Should I be worried

Not really, background scanning is completely normal, as long as your passwords are secure background scanning should pose no risk.

What are the best mitigation steps

You can use the following to make the server more secure:

  • Only allow login using key auth
  • Disable root ssh access
  • Use a system like Fail2Ban to block brute force attempts

Should I change IPs

Changing IPs will probably not affect automated background scanning much


As previous comments pointed out already, changing IPs will NOT prevent you from being scanned by malicious scanners.

I will sum up the necessary steps to really secure your SSH-service :

  • as people have mentioned beforehand : change the port to a non-standard (highport) value, e.g. a value like 13322. This is not a real security advantage, but it makes it harder for any bot to find the active SSH-port.
  • ONLY use secure keys for authentication, if possible, deactivate keyboard-auth with passwords completely !!
  • Use fail2ban - service, which is available for any unix-like system / linux-derivate. This service will automatically ban a specific ip after n failed auth-tries for a defined time. Ban is realized via iptables rules, so iptables is a requirement.

Tags:

Linux

Authentication

Ubuntu

Ssh

Brute Force

Recent Posts