Home » Questions » Computers [ Ask a new question ]

brute force password guessing on SSH server isn't going to work?

brute force password guessing on SSH server isn't going to work?

I'm running an SSH server on my personal computer. The log had many people(or bots?) repeatedly trying to log in to my server (that is before I changed the default port), which made me a little freaked out. I was worried about their dictionary attacks or brute force password guessing.

Asked by: Guest | Views: 167
Total answers/comments: 2
Guest [Entry]

"The suggestions in the other answers on protecting yourself further when using SSH are very sensible.

But specifically to your question, brute force attacks from a single user are unlikely to be effective except against common username/password combinations or dictionary words. A random alphanumeric 9 letter password strength is going to take around 6 million years to guess.

However, it is also possible to attack with say a large co-ordinated botnet that allows you to minimise the impact of a 2 second delay from the server for each user. One million bots (obviously not exactly likely) would reduce your cracking time down to a far more scary 6.4 years"
Guest [Entry]

I install DenyHosts on any machines with internet-facing ssh servers. It automatically adds the source IPs of repeatedly failing logins to hosts.deny.