Jump to content
pr00f

Writing a simple SSH brute-forcer in Go

Recommended Posts

Screen-Shot-2017-06-28-at-23.01.57.png

I'll just start this post with stating that I'm not doing this with malicious intents, nor am I going to use this for other purposes than learning, or advice using this on servers others than your own. That being said, let's get down to business.

Why a SSH brute-forcer?

Because too many people are still using password authentication with weak passwords. There are still many servers with sshd open with the default port exposed to internet, using accounts with weak passwords. Have a RaspberryPi? Put it on the Internet! Just take a look over Shodan's raspbian with port 22 query. It's crazy. We're kinda fighting fire with fire.

Why Go?

Because it's awesome, it's static typed, it's fast, has a big and very useful default library... did I mention it's awesome? And also because I'm on my journey learning Go, and this way I can learn how to use channels, ssh connections, and so on.

How can I protect against this?

For a start, edit /etc/ssh/sshd_config to disable password authentication and root login. A basic setup means:

  1. Changing the default port - many brute-forcers do not scan every port on the machine just to find an SSH server, they just check for port 22.
  2. Disable root login - if, by any chance, you need to be able to login as root remotely, use public key authentication.
  3. Disable password authentication - I can't stress this enough; just do it. Everyone can and should use public key authentication instead of password authentication. A passphrase is a big plus.

Something to start your journey with:

Port 2244  
PermitRootLogin no  
#PermitRootLogin without-password #if you need pubkey root login
PubkeyAuthentication yes  
PermitEmptyPasswords no  
PasswordAuthentication no  

This post assumes basic Go knowledge, and is not meant towards complete newbie gophers. I am a rookie myself, and currently trying to improve this.

For testing, I’ve included a Dockerfile along the project for building a simple testing environment, but more on this at the end.

 
  • Upvote 5
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...