I'm running an SSH server on my personal computer. The log had many people(or bots?) repeatedly trying to log in to my server (that is before I changed the default port), which made me a little freaked out. I was worried about their dictionary attacks or brute force password guessing.
But then if you type wrong password (or wrong username), the server waits for about 2 seconds before it asks for password again. So an attacker can try one password per 2 seconds. So I concluded that these attacks aren't that great a threat (as long as your password does not consist of dictionary words.) Am I correct?
Best Answer
The suggestions in the other answers on protecting yourself further when using SSH are very sensible.
But specifically to your question, brute force attacks from a single user are unlikely to be effective except against common username/password combinations or dictionary words. A random alphanumeric 9 letter password strength is going to take around 6 million years to guess.
However, it is also possible to attack with say a large co-ordinated botnet that allows you to minimise the impact of a 2 second delay from the server for each user. One million bots (obviously not exactly likely) would reduce your cracking time down to a far more scary 6.4 years