I have a Mac running OS X 10.5 Leopard on my home network that I have made accessible from the Internet so I can remotely access it using SSH (Secure Shell) when I am away.
However, there are many popular SSH password brute force cracking tools (such as Hydra). Below is an excerpt from /var/log/secure.log on the Internet-accessible Mac showing an obvious brute force attack:
06:15:20 sshd: Invalid user jeff from 18.104.22.168
06:15:22 sshd: Invalid user irc from 22.214.171.124
06:15:24 sshd: Invalid user list from 126.96.36.199
06:15:25 sshd: Invalid user eleve from 188.8.131.52
06:15:27 sshd: Invalid user proxy from 184.108.40.206
06:17:28 sshd: Invalid user admin from 220.127.116.11
06:17:32 sshd: Invalid user admin from 18.104.22.168
06:17:36 sshd: Invalid user admin from 22.214.171.124
06:17:39 sshd: Invalid user administrator from 126.96.36.199
06:17:43 sshd: Invalid user administrator from 188.8.131.52
06:17:46 sshd: Invalid user administrator from 184.108.40.206
06:17:49 sshd: Invalid user tads from 220.127.116.11
06:17:52 sshd: Invalid user manet from 18.104.22.168
06:17:55 sshd: Invalid user creative from 22.214.171.124
06:18:00 sshd: Invalid user manet from 126.96.36.199
What I am not showing you are hundreds of similar attempts. Further, each username login attempt repeats as many as 20 times in a row, indicating that multiple passwords are being tried.
To entirely sidestep the threat of brute force password attacks, I have disabled password logins and only allow public-key authentication. Here is how you can set this up in OS X 10.5 Leopard:
- Edit /etc/sshd_config and change the following options, removing the ‘#’ comment sign:
- Turn off Remote Login in the Sharing preference pane in System Preferences and turn it on again to restart sshd so the changes will take effect.
Now, when someone attempts to SSH to my Mac without the correct private key, she/he will see this message: