Recently, I showed you how to perform a dictionary attack on a SSH server. You can find the post here: How to use a dictionary attack to crack the password for SSH.
Today, I would like to share a mitigation technique for this vulnerability by using the SSH key-based authentication.
Table of Contents
Check the SSH default config
In order to minimize the chance of having the SSH password cracked, you can use key-based authentication instead of password based authentication. SSH permits both methods to be used and they are both enabled by default. You can check the default configuration by inspecting the file /etc/ssh/sshd_config.
grep -i "^#PasswordAuth" /etc/ssh/sshd_config
grep -i "^#Pub" /etc/ssh/sshd_config
Generate the SSH Key Pair
Now that you know which are the defaults for the SSH configuration, you need to create the SSH key pair.
In order to generate the key pair, you will use the command:
ssh-keygen
You can use the default file to save the key or you can specify a different one. I will go with the default.
In the next step, you can optionally use a passphrase. For environments with high security needs, you will not skip this step. In my lab, I will not use a passphrase. If you use a passphrase during the key generation, you will need to enter this password every time you are logging into the SSH server.
The result of the ssh-keygen command are 2 files:
- A public key, which is located in your home folder, in the hidden directory ssh (/home/kali/.ssh/id_rsa.pub). The name of the public key is id_rsa.pub.
- A private key which is saved in /home/kali/.ssh/id_rsa. The name of the private key is id_rsa.
If you want to find out more about ssh-keygen and its options, you can read the man page.
man ssh-keygen
Copy the public key to the remote server
After the keys are generated, copy the public key to the remote server.
You can copy the key manually, with SSH command, or with ssh-copy-id. I will use the ssh-copy-id command.
ssh-copy-id petru@192.168.1.130
Test authentication through SSH keys
After you have copied the public key to the remote server, test the authentication using the SSH keys.
Run a similar command. You need to adjust it according to your environment.
ssh petru@192.168.1.130
As you can see, I was able to login to the Ubuntu machine without specifying any password.
Disable password authentication on remote server
The last step is to disable the password authentication on the remote server. In my case, this is the Ubuntu machine with the IP address 192.168.1.130.
You need to find the line that contains PasswordAuthentication option and change it from yes to no. You also need to remove the # sign from the beginning of the line.
For this change to take effect, you need to restart the SSH server.
Run the command:
sudo systemctl restart ssh
Confirm that password authentication is not working anymore
Finally, you can confirm that password authentication is not working anymore.
hydra -l petru -P 1000-most-common-passwords.txt 192.168.1.130 ssh
I hope you find this post useful. Share it on your social media channels so that other people can read it too.