This note documents detection patterns related to SSH Brute Force on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
/var/log/auth.log / /var/log/secure | Failed password | Failed SSH password authentication | Critical | Primary brute force indicator. |
/var/log/auth.log / /var/log/secure | Invalid user | Username probing against nonexistent accounts | Critical | Strong reconnaissance precursor. |
/var/log/auth.log / /var/log/secure | authentication failure | PAM authentication failure | High | Often seen across SSH and sudo failures. |
/var/log/auth.log / /var/log/secure | maximum authentication attempts exceeded | Session terminated after repeated failures | Critical | High-confidence brute pressure. |
/var/log/auth.log / /var/log/secure | Disconnected from authenticating user | Short-lived failed SSH sessions | High | Common after password spray loops. |
/var/log/auth.log / /var/log/secure | error: PAM: | Authentication subsystem rejection | Medium | Can accompany brute force or malformed attempts. |
/var/log/auth.log / /var/log/secure | Connection closed by authenticating user | Aborted auth flow | Medium | Often follows rapid automated attempts. |
/var/log/auth.log / /var/log/secure | Received disconnect | Client-side disconnect after failed auth | Medium | Often tooling driven. |
journalctl | sshd failures | Journald SSH failure stream | Critical | Primary source when flat logs absent. |
btmp | Failed login records | Historical failed login database | Critical | Survives even if auth.log rotated. |
lastb | Failed login output | Aggregated failed logins | Critical | Quick brute force triage. |
| Syslog rotation archives | repeated failures | Historic brute force evidence | High | Essential if current logs incomplete. |
| Network telemetry | repeated TCP/22 attempts | External brute force source behavior | Critical | Useful when host logs partial. |
| EDR telemetry | repeated sshd auth failures | Process-level repeated failures | High | Correlates source IP and volume. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Many usernames tested from one IP | Multiple target usernames in short interval | Critical | Strong brute force signature. |
| Same username attacked from many IPs | Distributed password spray | High | Often botnet-based. |
| Failed attempts followed by success | Immediate successful login after failures | Critical | Very high compromise likelihood. |
| Off-hours SSH failures | Night-time or unusual timing | Medium | Useful contextual signal. |
| Country mismatch | Source IP from unusual geography | High | Operationally important in internet-facing servers. |
| Repeated root attempts | root targeted heavily | High | Common automated scanning behavior. |
| Sequential username enumeration | admin, test, oracle, ubuntu, etc. | High | Dictionary-driven attack pattern. |
| Failure spike across many hosts | Same source against multiple servers | Critical | Coordinated campaign indicator. |
| Short bursts every few seconds | Scripted cadence | High | Typical automated brute timing. |
| Source IP later used in success | Same IP transitions into foothold | Critical | Immediate escalation path. |
Common Tools
| Tool | Usage |
|---|---|
hydra | Parallel SSH brute forcing utility. |
ncrack | Network authentication brute forcing. |
medusa | Multi-protocol brute force framework. |
patator | Flexible password attack tool. |
sshpass | Used in crude scripted brute attempts. |
| Botnet SSH scanners | Common internet background noise and mass attacks. |
| Custom Python loops | Low sophistication scripted brute force attempts. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| SSH auth logs | /var/log/auth.log, /var/log/secure | Critical | Primary brute force source. |
| Journald SSH logs | journalctl -u ssh, journalctl -u sshd | Critical | High-value source on systemd hosts. |
| Failed login database | /var/log/btmp | Critical | Often survives partial cleanup. |
| Failed login viewer | lastb | Critical | Fast failed-login summary. |
| Login success logs | /var/log/wtmp, last | High | Needed to correlate success after brute force. |
| SSH daemon config | /etc/ssh/sshd_config | High | Validate protections and exposed auth methods. |
| Firewall logs | nftables / iptables / cloud firewall | High | Source IP repetition and block history. |
| Fail2ban logs | /var/log/fail2ban.log | High | Confirms automated mitigation triggered. |
| Rotated auth logs | /var/log/auth.log.*, /var/log/secure-* | High | Historical brute force visibility. |
| Network captures | pcaps / netflow | High | Source distribution and cadence. |
MITRE ATT&CK References
- T1110 Brute Force
- T1110.001 Password Guessing
- T1110.003 Password Spraying
- T1021.004 SSH
Decision Tree
-
Are repeated SSH failures present?
- Count
Failed password,Invalid user, PAM failures.
- Count
-
Is activity concentrated or distributed?
- Determine whether one IP, subnet, ASN, or many rotating IPs are involved.
-
Are usernames random or targeted?
- Review account selection pattern.
-
Did failures transition into success?
- Pivot immediately into successful SSH events.
-
Was privileged account targeted?
- Check
root, service accounts, admin-like usernames.
- Check
-
Pivot
- Source IP → reputation / recurrence / geo.
- Username → account validity / privilege.
- Success event → shell history / sudo / persistence.
-
Confirm compromise potential
- Failed sequence + success + shell activity = likely breach.
Example Detection Templates
Grep
grep "Failed password" /var/log/auth.log /var/log/secure 2>/dev/null
grep "Invalid user" /var/log/auth.log /var/log/secure 2>/dev/null
grep -E "Failed password|Invalid user|authentication failure" /var/log/auth.log /var/log/secure 2>/dev/null
awk '/Failed password/ {print $(NF-3)}' /var/log/auth.log | sort | uniq -c | sort -nr
Journalctl
journalctl -u ssh | grep "Failed password"
journalctl -u sshd | grep "Invalid user"
Failed Login Databases
lastb
lastb | head -50
Sigma
title: Linux SSH Brute Force Attempts
id: linux-ssh-bruteforce-attempts
status: experimental
description: Detects repeated SSH authentication failures that may indicate brute force or password spraying
logsource:
product: linux
service: auth
detection:
selection:
message|contains:
- 'Failed password'
- 'Invalid user'
- 'authentication failure'
condition: selection
fields:
- message
- hostname
- source_ip
falsepositives:
- Misconfigured automation
- Forgotten credentials
level: high
tags:
- attack.credential_access
- attack.t1110
- attack.t1021.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| SSH authentication | Disable password auth where possible | Critical | Strongest brute force reduction. |
| Root access | Disable direct root SSH login | Critical | Removes highest-value target. |
| Fail2ban | Auto-block repeated failures | High | Immediate brute pressure reduction. |
| Network controls | Restrict SSH source ranges | Critical | Major exposure reduction. |
| MFA | Add second factor where possible | High | Stops password-only compromise. |
| Rate limiting | Lower allowed attempts | High | Reduces brute throughput. |
| Logging retention | Preserve auth and btmp history | High | Essential for investigation. |
| External exposure | Move SSH off direct internet where possible | High | Reduces background attack volume. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Are failures ongoing? | tail -f /var/log/auth.log | Detect live brute force. |
| Which IP attacks most? | count failed entries by IP | Identify primary source. |
| Which usernames targeted? | extract usernames from failures | Shows attacker intent. |
| Was there success after failures? | grep Accepted password | Detect breach transition. |
| Is fail2ban active? | inspect fail2ban logs | Determine mitigation status. |
| Are root attempts present? | grep root | High-risk target focus. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
Failed password | Primary brute force signal. |
Invalid user | Username discovery and enumeration. |
authentication failure | PAM failure evidence. |
maximum authentication attempts exceeded | High-pressure auth attempts. |
Disconnected from authenticating user | Scripted short failure cycles. |
Received disconnect | Common tooling disconnect signature. |
Accepted password | Must be checked immediately after brute force burst. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Thousands of failures, no success | Likely internet background noise unless targeted user set stands out. |
| Failures then single success | High-confidence compromise lead. |
| Same source across multiple hosts | Coordinated brute infrastructure. |
| Many usernames but one valid user later succeeds | Password spray likely. |
| Root repeatedly targeted | Generic scanner or privilege-seeking operator. |
| Failures disappear after success | Possible attacker stopped after foothold. |