Understanding SSH Brute Force Attack Patterns

2 min read Data Protection & Compliance

Understanding SSH Brute Force Attack Patterns

Modern SSH brute force attacks employ sophisticated techniques that go beyond simple password guessing. Attackers use distributed botnets, credential stuffing from data breaches, and intelligent targeting based on reconnaissance. Understanding these patterns enables effective defense strategies.

Common attack characteristics include rapid connection attempts from single sources, distributed attacks from multiple IPs targeting the same server, dictionary-based username and password combinations, and attempts using leaked credentials from other breaches. Attackers often probe for default accounts, test weak passwords systematically, and employ timing strategies to avoid detection.

Monitor active attacks to understand patterns:

# Real-time SSH authentication failure monitoring
tail -f /var/log/auth.log | grep -E "Failed password|Invalid user" | \
while read line; do
    echo "[$(date '+%H:%M:%S')] $line" | \
    grep -oE "from [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | \
    awk '{print $2}'
done

# Analyze attack patterns from logs
#!/bin/bash
# analyze-ssh-attacks.sh

LOG_FILE="/var/log/auth.log"
OUTPUT_DIR="/var/log/ssh-attack-analysis"
mkdir -p "$OUTPUT_DIR"

# Extract failed login attempts
echo "Analyzing SSH brute force attempts..."

# Top attacking IPs
echo "=== Top 20 Attacking IPs ===" > "$OUTPUT_DIR/top-attackers.txt"
grep "Failed password" "$LOG_FILE" | \
    grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | \
    sort | uniq -c | sort -rn | head -20 >> "$OUTPUT_DIR/top-attackers.txt"

# Common usernames attempted
echo "=== Top 20 Targeted Usernames ===" > "$OUTPUT_DIR/targeted-users.txt"
grep -E "Failed password for|Invalid user" "$LOG_FILE" | \
    sed -n 's/.*Failed password for \(.*\) from.*/\1/p; s/.*Invalid user \(.*\) from.*/\1/p' | \
    sort | uniq -c | sort -rn | head -20 >> "$OUTPUT_DIR/targeted-users.txt"

# Attack timing patterns
echo "=== Hourly Attack Distribution ===" > "$OUTPUT_DIR/timing-pattern.txt"
grep "Failed password" "$LOG_FILE" | \
    awk '{print $1" "$2" "$3}' | \
    cut -d: -f1 | sort | uniq -c >> "$OUTPUT_DIR/timing-pattern.txt"