Kinaro's blog of things

Password Brute Force Attack

June 12, 2019

In a password brute force attack, a hacker attempts all possible usernames and passwords to gain illegal access into a system. The process is carried out using automated software tools. The most commonly attacked service is SSH which runs on port 22 on a server. The Arch Linux wiki has an excellent tutorial on configuring SSH

One can easily identify brute force attacks in Linux. The first identifier is multiple attempts from the same IP address. I have an Ubuntu server where I have disabled SSH password log in, because I only use keys. Keys are superior over passwords since they are not vulnerable to brute force attacks.

Viewing failed login attempts on Linux

  • Run sudo lastb using a non-root user account with sudo privileges.

password bruteforce IPs

  • To get the total number of failed attempts, pipe the output to the wc tool and pass the -l parameter to get the line count.

sudo lastb | wc -l

2048 failed attempts

  • To save the data to a text file:

sudo lastb > file.txt where file.txt is the name of the file. ’>’ directs the output of a command to a file.

Save info to file

You can then use the whois tool to get the details of a particular IP address if you wish. Install it using sudo apt install whois Consider using fail2ban to secure your server further.

Security should always be the first consideration whenever you deploy a product or service.