ssh-password-spraying-linux-security-guide

Hacking Truth
0

 

ssh-password-spraying-linux-security-guide


Could Your SSH Service Withstand Password Spraying?


Every Linux administrator enables SSH because it is the fastest and most secure way to manage remote systems. However, the same service is also one of the most targeted attack surfaces on the Internet.

Unlike traditional brute-force attacks that repeatedly try many passwords against a single account, password spraying is much stealthier. Attackers test a small number of common passwords across hundreds or thousands of usernames, making it much harder to detect and often avoiding account lockout policies.

The question is simple:

If someone started password spraying your SSH server today, would it survive?

In this guide, you'll learn how password spraying works, how attackers perform it, how to detect it, and the best ways to secure your Linux server.


What Is Password Spraying?

Password spraying is a cyberattack where an attacker tries one common password against many user accounts instead of trying many passwords against one account.

Example

Instead of:

  • admin
  • 123456
  • password
  • admin123


Against one user:

atul

The attacker tries:

  • atul : Welcome@123
  • john : Welcome@123
  • root : Welcome@123
  • ubuntu : Welcome@123
  • developer : Welcome@123

Then waits several hours before trying another common password.

Because login attempts are spread across multiple accounts, many security systems fail to recognize the attack.


Why Attackers Love SSH?

SSH is usually exposed on:

  • Cloud VPS
  • AWS EC2
  • Azure Virtual Machines
  • Google Cloud
  • DigitalOcean
  • Home Labs
  • Raspberry Pi
  • Enterprise Linux Servers


If password authentication is enabled, attackers continuously scan the Internet looking for SSH services.

Popular targets include:

  • Ubuntu
  • Debian
  • Kali Linux
  • CentOS
  • Rocky Linux
  • AlmaLinux

How Password Spraying Works


ssh-password-spraying-linux-security-guide


If any account uses that password, the attacker gains access.


Signs Your SSH Server Is Under Attack

Common symptoms include:

  • Numerous failed SSH login attempts
  • Authentication failures from multiple IP addresses
  • Repeated attempts targeting many usernames
  • High activity in SSH logs
  • Unexpected CPU spikes due to authentication processing



Check SSH Logs


  • Ubuntu/Debian
  • sudo cat /var/log/auth.log


CentOS/RHEL

  • sudo cat /var/log/secure
  • Search for failed logins:
  • grep "Failed password" /var/log/auth.log


Example:

  • Failed password for invalid user admin
  • Failed password for root
  • Failed password for ubuntu
  • Failed password for developer


This pattern often indicates automated attacks.



View Failed SSH Attempts


Count failed logins:

  • grep "Failed password" /var/log/auth.log | wc -l

Find attacking IPs:

  • grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr



How to Protect SSH


1. Disable Password Authentication


SSH keys are significantly more secure than passwords.

Edit:

  • sudo nano /etc/ssh/sshd_config

Set:

  • PasswordAuthentication no
  • PubkeyAuthentication yes


Restart SSH:

  • sudo systemctl restart ssh

2. Disable Root Login

Never allow direct root logins.

  • PermitRootLogin no


3. Use Strong SSH Keys

Generate an Ed25519 key:

  • ssh-keygen -t ed25519

Copy it to the server:

  • ssh-copy-id user@server-ip

4. Change the Default SSH Port


Although changing the default port won't stop determined attackers, it reduces noise from automated bots.

Example:

  • Port 2222

Remember to update your firewall rules accordingly.


5. Install Fail2Ban

Install:

Ubuntu

  • sudo apt install fail2ban

Start service:


  • sudo systemctl enable fail2ban
  • sudo systemctl start fail2ban

Check status:

  • sudo fail2ban-client status sshd


Fail2Ban blocks IP addresses after repeated failed login attempts.


6. Enable Two-Factor Authentication


Even if a password is compromised, MFA can prevent unauthorized access.

Popular options:

  • Google Authenticator
  • Authy
  • Duo Security

7. Restrict Users


Limit SSH access to specific users.

  • AllowUsers atul admin


8. Use a Firewall


With UFW:

  • sudo ufw allow 22/tcp
  • sudo ufw enable


For a custom SSH port:

  • sudo ufw allow 2222/tcp


9. Monitor Login Attempts

View active sessions:

  • who

Recent logins:

  • last


Current SSH connections:

  • ss -tnp | grep ssh


10. Keep OpenSSH Updated


Update packages regularly:

Ubuntu

  • sudo apt update
  • sudo apt upgrade


Kali

  • sudo apt full-upgrade


Common Mistakes


Avoid these risky configurations:

  • ❌ Weak passwords
  • ❌ Root login enabled
  • ❌ Password authentication enabled
  • ❌ No firewall
  • ❌ No monitoring
  • ❌ Ignoring SSH logs
  • ❌ Not updating openSSH


Security Hardening Checklist

  • Disable root login
  • Disable password authentication
  • Use SSH keys
  • Install Fail2Ban
  • Enable MFA
  • Restrict SSH users
  • Change the default port (optional)
  • Monitor logs regularly
  • Keep OpenSSH updated
  • Back up SSH configuration before changes


Final Thoughts


Password spraying remains one of the most effective techniques attackers use against exposed SSH services because it exploits weak password practices rather than software vulnerabilities.

A secure SSH configuration should rely on public key authentication, strong account policies, monitoring, and defense-in-depth controls such as Fail2Ban, firewalls, and multi-factor authentication. Regularly reviewing authentication logs and keeping OpenSSH up to date significantly reduces the risk of compromise.

If your server is still using password-based SSH authentication, now is the time to harden it before attackers find it.


Frequently Asked Questions (FAQ)


Q1. What is SSH password spraying?

  • It is an attack where a single common password is tested against many different user accounts instead of trying many passwords on one account.


Q2. Is password spraying the same as brute force?

  • No. Brute-force attacks target one account with many passwords, while password spraying targets many accounts with a small set of common passwords.


Q3. Can Fail2Ban stop password spraying?

  • Fail2Ban helps block repeated failed login attempts from the same IP address, but it should be combined with SSH keys, MFA, and proper monitoring for stronger protection.


Q4. Should I disable SSH password authentication?

  • Yes. Using SSH key-based authentication instead of passwords is one of the most effective ways to protect SSH access.


Q5. Does changing the SSH port improve security?

  • Changing the default port can reduce automated scanning and log noise, but it should not be considered a replacement for proper authentication and server hardening.



Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !