PINE64   ›   PinePhone   ›   PinePhone Software   ›   Mobian on PinePhone   ›   SSH brute force attacks

SSH brute force attacks
user641
Pine Scholar
****
Joined: Sep 2021
Posts: 222

Reputation: 10
#11
06-20-2022, 08:48 AM
(06-20-2022, 08:33 AM)wibble Wrote: I've updated the wiki entry - please report back if it's still confusing or you find anything wrong.

wow, thanks so much!!! now it's much clearer. I will try again later.
  Reply
bitnick
Pine Adept
***
Joined: Jun 2020
Posts: 57

Reputation: 7
#12
06-21-2022, 11:38 AM
(06-19-2022, 04:53 AM)user641 Wrote: Hello,

If I setup a SSH connection simply using the password, with a numerical passwordof 8 digits it will be very easily crackable right? If I let port 22 open on the pine phone, and I connect to another wifi than my lan, or to 4g, will my device be vulnerable to brute force attacks?

Your device will be vulnerable in theory, but the risk should be very low if you use a random eight-digit number. Eight digits, that's 100 million combinations, and sshd by default allows sex auth tries before it enforces a login grace time of two minutes. So six tries every two minutes. That's 63 years to try all combinations... and that's if the intruder already knows your username.

I would be more worried about bugs/vulnerabilities in whatever service(s) I run on the phone.
  Reply
user641
Pine Scholar
****
Joined: Sep 2021
Posts: 222

Reputation: 10
#13
06-21-2022, 04:45 PM
(06-21-2022, 11:38 AM)bitnick Wrote:
(06-19-2022, 04:53 AM)user641 Wrote: Hello,

If I setup a SSH connection simply using the password, with a numerical passwordof 8 digits it will be very easily crackable right? If I let port 22 open on the pine phone, and I connect to another wifi than my lan, or to 4g, will my device be vulnerable to brute force attacks?

Your device will be vulnerable in theory, but the risk should be very low if you use a random eight-digit number. Eight digits, that's 100 million combinations, and sshd by default allows sex auth tries before it enforces a login grace time of two minutes. So six tries every two minutes. That's 63 years to try all combinations... and that's if the intruder already knows your username.

I would be more worried about bugs/vulnerabilities in whatever service(s) I run on the phone.

Interesting math perspective!
  Reply
RTP
Pine Scholar
*****
Developer
Joined: Jul 2020
Posts: 138

Reputation: 39
#14
06-23-2022, 12:49 PM (This post was last modified: 06-23-2022, 12:54 PM by RTP.)
(as earlier reply mentioned) Mobian Wiki is a great resource.

Since you asked about pin numbers for ssh, a while back I happened to write on securing SSH on Pinephone + it starts with cracking default pin using Hydra - just mirrored to wordpress in case it helps.
(Part I also includes the "most popular pin numbers list" - be sure your pin is not on this list).

Part I Cracking default pin demo + sshd_config settings to mitigate: https://politictech.wordpress.com/2022/0...word-demo/
Part II: Add Key Auth + Learn to check SSH fingerprints: https://politictech.wordpress.com/2022/0...void-mitm/
- RTP

"In the beginner's mind there are many possibilities, in the expert's mind there are few." -Shunryu Suzuki


[ Pinephone Original | Pinetab v1 / v2 Enjoyer ]


Linux Device Privacy / Security Playlist



  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)