Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack  (Read 1312 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
Bruteforce is one of the major attack affected by the servers. This attack work by testing every possible combination that could be used as the password by the user and then testing it to see if it is the correct password.

The attack "ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack" is a type of brute force happened through the SSH connection Based on LibSSH. SSH provides strong authentication and secures encrypted data communications between two computers connecting over an insecure network such as the Internet. But the attacker will try to identify the username and password of the server. For that, he will always use worst passwords or create passwords with the combination of their information such as his/her name, date of birth, parents name, children, pets and other information related to the victim.

LibSSH is a C library that enables users to write a program that uses the SSH protocol. With it, users can remotely execute programs, transfer files, or use a secure and transparent tunnel for their remote programs. The SSH protocol is encrypted, ensures data integrity, and provides strong means of authenticating both the server of the client.

There are several ways to escape from brute force attacks. they are :

Use strong passwords. Brute force attempts will try common passwords like words (or combinations of words) in a dictionary, names, and common passwords. Strong passwords generally use a combination of upper and lower-case characters, numbers, and non-alphanumeric characters

keep closing SSH daemon if not use.

Change the default ssh port from 22 to another. The attacker knew that the default ssh port is 22, and he will always try to make a connection with your server with that. So, try to use other ports for the SSH.

There are some intrusion prevention tools are available to prevent these attacks. Some of them are Fail2Ban, DenyHosts and log2iptables.

fail2ban is a well-known open-source intrusion prevention framework on Linux that monitors various system log files (e.g., /var/log/auth.log or /var/log/secure) and automatically triggers various defensive actions upon detecting any suspicious activities. In fact, fail2ban can be quite useful to defend against brute force password guessing attacks on an SSH server.

DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.

log2iptables is a Bash script that parses a log file and executes iptables command. Useful for automatically block an IP address against brute-force or port scan activities.

Another easiest way to prevent these attacks is to block all access to SSH except to designated IPs. This can be easily managed via a firewall or using /etc/hosts.deny.

Our Server Security Monitoring automatically blocks these kinds of threats.