How to mitigate the SSH dictionary attacks with SSH key-based authentication

Recently, I showed you how to perform a dictionary attack on a SSH server. You can find the post here: How to use a dictionary attack to crack the password for SSH.

Today, I would like to share a mitigation technique for this vulnerability by using the SSH key-based authentication.

Gulian Technology
Gulian Technology

Check the SSH default config

In order to minimize the chance of having the SSH password cracked, you can use key-based authentication instead of password based authentication. SSH permits both methods to be used and they are both enabled by default. You can check the default configuration by inspecting the file /etc/ssh/sshd_config.

grep -i "^#PasswordAuth" /etc/ssh/sshd_config
grep -i "^#Pub" /etc/ssh/sshd_config
Check default SSH config
Check default SSH config

Generate the SSH Key Pair

Now that you know which are the defaults for the SSH configuration, you need to create the SSH key pair.

In order to generate the key pair, you will use the command:

ssh-keygen
Create the key pair with ssh-keygen command
Create the key pair with ssh-keygen command

You can use the default file to save the key or you can specify a different one. I will go with the default.

In the next step, you can optionally use a passphrase. For environments with high security needs, you will not skip this step. In my lab, I will not use a passphrase. If you use a passphrase during the key generation, you will need to enter this password every time you are logging into the SSH server.

Specify or not a passphrase
Specify or not a passphrase

The result of the ssh-keygen command are 2 files:

  1. A public key, which is located in your home folder, in the hidden directory ssh (/home/kali/.ssh/id_rsa.pub). The name of the public key is id_rsa.pub.
  2. A private key which is saved in /home/kali/.ssh/id_rsa. The name of the private key is id_rsa.
Location of the private and public key
Location of the private and public key

If you want to find out more about ssh-keygen and its options, you can read the man page.

man ssh-keygen
Ssh-keygen man page
Ssh-keygen man page

Copy the public key to the remote server

After the keys are generated, copy the public key to the remote server.

You can copy the key manually, with SSH command, or with ssh-copy-id. I will use the ssh-copy-id command.

ssh-copy-id petru@192.168.1.130
Copy the public key to the remote server
Copy the public key to the remote server

Test authentication through SSH keys

After you have copied the public key to the remote server, test the authentication using the SSH keys.

Run a similar command. You need to adjust it according to your environment.

ssh petru@192.168.1.130
Test authentication through SSH keys
Test authentication through SSH keys

As you can see, I was able to login to the Ubuntu machine without specifying any password.

Disable password authentication on remote server

The last step is to disable the password authentication on the remote server. In my case, this is the Ubuntu machine with the IP address 192.168.1.130.

Disable password authentication
Disable password authentication

You need to find the line that contains PasswordAuthentication option and change it from yes to no. You also need to remove the # sign from the beginning of the line.

Password authentication disabled
Password authentication disabled

For this change to take effect, you need to restart the SSH server.

Run the command:

sudo systemctl restart ssh
Restart the SSH service
Restart the SSH service

Confirm that password authentication is not working anymore

Finally, you can confirm that password authentication is not working anymore.

hydra -l petru -P 1000-most-common-passwords.txt 192.168.1.130 ssh
Password authentication not supported of the target server
Password authentication not supported of the target server

I hope you find this post useful. Share it on your social media channels so that other people can read it too.

Processing…
Success! You're on the list.

Leave a Reply