SSH (Secure Shell) is an essential protocol for securely accessing remote servers. However, as SSH usage has grown, so has the number of attacks targeting SSH, with one of the most common being the Terrapin SSH attack. This type of attack typically involves brute-forcing SSH credentials to gain unauthorized access.

In this guide, we will explain the Terrapin SSH attack, how to detect it, and steps to mitigate it effectively.

What Is the Terrapin SSH Attack?

The Terrapin SSH attack is a brute-force attack that targets SSH servers by attempting to guess login credentials. Attackers use automated tools or botnets to try a large number of username-password combinations, hoping to find one that grants access. Once the attacker gains access, they can install malware, steal sensitive data, escalate privileges, or use the compromised server to launch additional attacks.

How to Find Out If Your SSH Server Might Be Under Attack

You can detect a possible SSH attack by observing the following:

  • Frequent failed login attempts: SSH logs will show a high number of failed login attempts.
  • Unusual IP addresses: Login attempts from unfamiliar or suspicious IPs.
  • High server load: Brute-force attacks can cause a spike in server CPU usage.
  • Suspicious entries in logs: You may notice repeated access attempts in /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (CentOS/RHEL).

To check for failed login attempts, use:

grep "Failed password" /var/log/auth.log

Output:

Oct  1 10:12:34 server sshd[2345]: Failed password for invalid user admin from 203.0.113.56 port 54832 ssh2
Oct  1 10:12:37 server sshd[2345]: Failed password for invalid user guest from 203.0.113.56 port 54832 ssh2

Let’s dive deep to mitigate the Terrapin SSH Attack:

Step 1: Disable Root SSH Login

Disabling root login ensures that attackers cannot brute-force the root account, which often has the highest privileges.

Edit the SSH configuration:

nano /etc/ssh/sshd_config

Find the line PermitRootLogin and change it to:

PermitRootLogin no

Restart the SSH service:

systemctl restart sshd

Disabling root access via SSH forces attackers to guess non-root usernames, significantly increasing security.

Step 2: Use Strong SSH Passwords or Key-Based Authentication

Weak passwords are vulnerable to brute-force attacks. The best practice is to use SSH key-based authentication, which is much more secure.

Generate an SSH key pair:

ssh-keygen -t rsa -b 4096

Follow the onscreen prompts to generate the key.

Copy the public key to the server:

ssh-copy-id user@server_ip

This installs your public key on the server, allowing passwordless login while blocking password-based brute-force attempts.

Step 3: Change the Default SSH Port

Changing the default SSH port from 22 to another port reduces the chance of automated brute-force attacks targeting your server.

Edit the SSH configuration:

nano /etc/ssh/sshd_config

Change the default port:

Port 2222

Restart the SSH service:

systemctl restart sshd

Be sure to update firewall rules to allow traffic on the new port.

Step 4: Enable SSH Rate Limiting with Fail2Ban

Fail2Ban monitors SSH login attempts and blocks IP addresses after a certain number of failed login attempts, effectively preventing brute-force attacks.

Install Fail2Ban:

apt-get install fail2ban

Configure Fail2Ban for SSH:

Edit the /etc/fail2ban/jail.local file and add the following:

[sshd]
enabled = true
port = 22
logpath = /var/log/auth.log
maxretry = 5

Restart Fail2Ban:

systemctl restart fail2ban

Now, after 5 failed login attempts, Fail2Ban will block the attacking IP address for a set period.

Step 5: Enable Two-Factor Authentication (2FA) for SSH

Adding two-factor authentication (2FA) provides an additional layer of security, requiring both a password and a one-time code generated on your mobile device.

Install the Google Authenticator PAM module:

apt-get install libpam-google-authenticator

Configure 2FA:

Run google-authenticator for each user and follow the prompts. Then, add the following line to /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Restart SSH to apply the changes.

systemctl restart sshd

What to Do If You’ve Been Compromised

If you suspect that an SSH attack has compromised your server, take the following steps:

  • Disconnect the server from the network to prevent further damage.
  • Run a rootkit and malware scan using tools like rkhunter or chkrootkit.
  • Check SSH logs for any unauthorized access or suspicious activity.
  • Change all passwords and SSH keys to prevent the attacker from regaining access.

Conclusion

The Terrapin SSH attack is a serious threat, but it can be effectively mitigated through proactive security measures. By disabling root login, using strong authentication methods like SSH keys and 2FA, changing the default SSH port, and enabling tools like Fail2Ban, you can significantly reduce the risk of unauthorized access to your SSH server. Try implementing the above technique on dedicated server hosting from Atlantic.Net to mitigate the terrapin SSH attack.