Table of Contents
- What Is the Terrapin SSH Attack?
- How to Find Out If Your SSH Server Might Be Under Attack
- Step 1: Disable Root SSH Login
- Step 2: Use Strong SSH Passwords or Key-Based Authentication
- Step 3: Change the Default SSH Port
- Step 4: Enable SSH Rate Limiting with Fail2Ban
- Step 5: Enable Two-Factor Authentication (2FA) for SSH
- What to Do If You’ve Been Compromised
- Conclusion
SSH (Secure Shell) is an essential protocol for securely accessing remote servers. However, as SSH usage has grown, so has the number of attacks targeting SSH, with one of the most common being the Terrapin SSH attack. This type of attack typically involves brute-forcing SSH credentials to gain unauthorized access.
In this guide, we will explain the Terrapin SSH attack, how to detect it, and steps to mitigate it effectively.
What Is the Terrapin SSH Attack?
The Terrapin SSH attack is a brute-force attack that targets SSH servers by attempting to guess login credentials. Attackers use automated tools or botnets to try a large number of username-password combinations, hoping to find one that grants access. Once the attacker gains access, they can install malware, steal sensitive data, escalate privileges, or use the compromised server to launch additional attacks.
How to Find Out If Your SSH Server Might Be Under Attack
You can detect a possible SSH attack by observing the following:
- Frequent failed login attempts: SSH logs will show a high number of failed login attempts.
- Unusual IP addresses: Login attempts from unfamiliar or suspicious IPs.
- High server load: Brute-force attacks can cause a spike in server CPU usage.
- Suspicious entries in logs: You may notice repeated access attempts in /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (CentOS/RHEL).
To check for failed login attempts, use:
grep "Failed password" /var/log/auth.log
Output:
Oct 1 10:12:34 server sshd[2345]: Failed password for invalid user admin from 203.0.113.56 port 54832 ssh2
Oct 1 10:12:37 server sshd[2345]: Failed password for invalid user guest from 203.0.113.56 port 54832 ssh2
Let’s dive deep to mitigate the Terrapin SSH Attack:
Step 1: Disable Root SSH Login
Disabling root login ensures that attackers cannot brute-force the root account, which often has the highest privileges.
Edit the SSH configuration:
nano /etc/ssh/sshd_config
Find the line PermitRootLogin and change it to:
PermitRootLogin no
Restart the SSH service:
systemctl restart sshd
Disabling root access via SSH forces attackers to guess non-root usernames, significantly increasing security.
Step 2: Use Strong SSH Passwords or Key-Based Authentication
Weak passwords are vulnerable to brute-force attacks. The best practice is to use SSH key-based authentication, which is much more secure.
Generate an SSH key pair:
ssh-keygen -t rsa -b 4096
Follow the onscreen prompts to generate the key.
Copy the public key to the server:
ssh-copy-id user@server_ip
This installs your public key on the server, allowing passwordless login while blocking password-based brute-force attempts.
Step 3: Change the Default SSH Port
Changing the default SSH port from 22 to another port reduces the chance of automated brute-force attacks targeting your server.
Edit the SSH configuration:
nano /etc/ssh/sshd_config
Change the default port:
Port 2222
Restart the SSH service:
systemctl restart sshd
Be sure to update firewall rules to allow traffic on the new port.
Step 4: Enable SSH Rate Limiting with Fail2Ban
Fail2Ban monitors SSH login attempts and blocks IP addresses after a certain number of failed login attempts, effectively preventing brute-force attacks.
Install Fail2Ban:
apt-get install fail2ban
Configure Fail2Ban for SSH:
Edit the /etc/fail2ban/jail.local file and add the following:
[sshd]
enabled = true
port = 22
logpath = /var/log/auth.log
maxretry = 5
Restart Fail2Ban:
systemctl restart fail2ban
Now, after 5 failed login attempts, Fail2Ban will block the attacking IP address for a set period.
Step 5: Enable Two-Factor Authentication (2FA) for SSH
Adding two-factor authentication (2FA) provides an additional layer of security, requiring both a password and a one-time code generated on your mobile device.
Install the Google Authenticator PAM module:
apt-get install libpam-google-authenticator
Configure 2FA:
Run google-authenticator for each user and follow the prompts. Then, add the following line to /etc/pam.d/sshd:
auth required pam_google_authenticator.so
Restart SSH to apply the changes.
systemctl restart sshd
What to Do If You’ve Been Compromised
If you suspect that an SSH attack has compromised your server, take the following steps:
- Disconnect the server from the network to prevent further damage.
- Run a rootkit and malware scan using tools like rkhunter or chkrootkit.
- Check SSH logs for any unauthorized access or suspicious activity.
- Change all passwords and SSH keys to prevent the attacker from regaining access.
Conclusion
The Terrapin SSH attack is a serious threat, but it can be effectively mitigated through proactive security measures. By disabling root login, using strong authentication methods like SSH keys and 2FA, changing the default SSH port, and enabling tools like Fail2Ban, you can significantly reduce the risk of unauthorized access to your SSH server. Try implementing the above technique on dedicated server hosting from Atlantic.Net to mitigate the terrapin SSH attack.