1

As far as I understand, bruteforcing ssh is only attempted for passwords, not keys (barring edge cases where presumably the NSA wants to break in).

So if a server has disabled (in addition to root login) password authentication on its ssh, is it still vulnerable to brute forcing attempts? And assuming that it isn't (please do explain if it still is), is there still a benefit to using something like fail2ban for ssh bruteforcing?

dakini
  • 413
  • 1
  • 3
  • 13

2 Answers2

1

No, it is not vulnerable to bruteforcing, practically speaking. Depending on what you're doing on the server, an application firewall like fail2ban (or ModSecurity) could provide additional security for other internet-facing services running on the machine (but to answer your question, no, fail2ban would not provide any meaningful amount of additional security for key-based ssh).

Personally, I've never even logged any bruteforcing attempts for key-restricted ssh.

cheers
  • 110
  • 9
  • Thanks; your other point is something I've been looking into as well - to see if I can use it to block http/s login-password bruteforcers, since the context is indeed a webapp where users can login. ModSecurity looks interesting at first glance, maybe it'll be suitable for my use-case. – dakini Jul 11 '18 at 06:42
0

Your server is still listening on the external SSH port. It can still be vulnerable for any protocol exploits (if they exist) and for resource exhaustion attacks like SYN floods. I would always use fail2ban to reduce resource consumption of unwanted visitors.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • 2
    On the contrary, fail2ban is probably more vulnerable to log injection attacks and such than ssh is to remote exploitation, as far as denial-of-service is concerned. – cheers Jul 11 '18 at 06:29