Best practices for securing SSH server

Matthew Seaman m.seaman at
Tue Jun 23 07:45:06 UTC 2009

Wojciech Puchar wrote:
>> If for some reason you would prefer to use password authentication, I
>> would recommend that you look into automatic brute force detection.
>> There are a number of utilities in ports available for this purpose,
>> including security/sshguard and security/denyhosts.
> good, but not really important with properly chosen password.
> You can't do more than maybe 10 attempts/second this way, while cracking
> 10 character password consisting of just small letters and digits needs

10 characters is a longer than usual password.  Most people have been
conditioned into using a 7 or 8 character password, which is at least a
1000 times easier to crack using your measure.  (Still a pretty big
possible space though).

> 36^10=3656158440062976 possible passwords, and over 11 milion years to
> check all possibilities, so say 100000 years if someone is really lucky
> and will get it after checking 1% possible password.

There is a very big flaw in your analysis here.  You're assuming that
the passwords people might use are randomly and evenly distributed over
the whole possible password space.  That is simply untrue.  A lot of
people -- perhaps the majority -- will use a password consisting of an
English word, possibly with StUdLy CaPs or 3lite SP3LL1NG and with some
random extra characters!*99 tacked on[*].  That's a whole lot smaller
search space -- and it must be possible to brute-force passwords or it
wouldn't be worthwhile for the brute-force attackers to keep trying.

Agreed however that if people can be educated to use good passwords then
a brute force attack like this really is unfeasible.  I like apg(1) for
generating passwords where there is no alternative to using strong

> Of course - you must not look at logs in 100000 years and not see this
> 10 attempts per second.

Sure.  My experience is that any machine on the internet with a port 22
listener will attract about 2 to 5 brute force attackers a day -- that
is, a sequence of brute force attempts originating from 2 -- 5
independent IPs per day.  In fact, given that you have taken reasonable
measures like using ssh keys exclusively or enforcing strong passwords
then the biggest problems caused by these sort of attacks are the drain
on system resources and the excess verbiage in log files.  Getting rid
of that is why I like to implement connection-rate based SSH blocking
via pf(4) -- not because it gives any extra security.

> I give this example against common paranoia that exist on that group -
> mix of real "security paranoid" persons and pseudo-experts that like to
> repeat "intelligent" phrases to show up themselves.
> Actually - there is no need for extra protection for ssh, but for humans.
> 99% of crack attempts are done by "kevin mitnick" methods, not password
> cracking.

Absolutely true.  Mitnick was an early exponent of Social Engineering
attacks, which are still the easiest and most effective methods for
breaking computer security.  Now, if we could just get rid of all the
users, our lives as Sys Admins would be a whole lot easier...



[*] It's amazing how many people, when you tell them to use a mix of
upper and lower case letters, just capitalize the *first* letter of
their password.

Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP:         Ramsgate
                                                      Kent, CT11 9PW, UK

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list