SSH Security – Log File for SSH Attempts on macOS

firewallmacosSecurityssh

I have an old Macbook running Yosemite which I've connected to the internet via my college network.
I foolishly enabled ssh access while my computer had a weak password, and now I want to check my computer's log file to see if anyone malicious has attempted to log into my computer (and potentially brute-force my password.)

Which log file should I look at?

*Side note – how long should I make my password be so that I can feel safe against brute-force attacks via ssh?

Best Answer

SSH login attempts are logged in /var/log/system.log. Grep for sshd in that file and you'll get the logins.

Here's an example of a failed login followed by a succesful login:

% grep sshd /var/log/system.log
Nov 10 22:30:22 Lanfear.local sshd[98443]: error: PAM: authentication error for teun from localhost via 127.0.0.1
Nov 10 22:30:36 Lanfear.local sshd[98443]: Accepted keyboard-interactive/pam for teun from 127.0.0.1 port 51239 ssh2
Nov 10 22:30:36 Lanfear.local sshd: teun [priv][98443]: USER_PROCESS: 98453 ttys004

If you're worried about brute force attempts on your password the best thing to do is disable password authentication and only use key based authentication. You can disable password based authentication by editing /etc/sshd_config change ChallengeResponseAuthentication yes to ChallengeResponseAuthentication no. Make sure your SSH keys are working before you do this or you won't be able to login remotely.

There's no fixed rule on when a password is weak or strong, but in general when using passwords I'd use a passphrase consisting of multiple words and some numbers and/or puntuation.

Related Solutions

SSH Security – Why Brute Force Password Guessing Won’t Work?

The suggestions in the other answers on protecting yourself further when using SSH are very sensible.

But specifically to your question, brute force attacks from a single user are unlikely to be effective except against common username/password combinations or dictionary words. A random alphanumeric 9 letter password strength is going to take around 6 million years to guess.

However, it is also possible to attack with say a large co-ordinated botnet that allows you to minimise the impact of a 2 second delay from the server for each user. One million bots (obviously not exactly likely) would reduce your cracking time down to a far more scary 6.4 years

Debian – How risky it is to have a personal server with ssh opened to the Internet

IMO SSH is one of the safest things to have listen on the open internet. If you're really concerned have it listen on a non-standard high end port. I'd still have a (device level) firewall between your box and the actual Internet and just use port forwarding for SSH but that's a precaution against other services. SSH itself is pretty damn solid.

I have had people hit my home SSH server occasionally (open to Time Warner Cable). Never had an actual impact.

Some additional things you can do to make SSH safer are prevent repeated attempts from the same IP address for a home machine something like

MaxStartups 2:30:10

in /etc/ssh/sshd_config which will restrict how many connections can be created in a row before logging in successfully.

Best Answer

Related Solutions

SSH Security – Why Brute Force Password Guessing Won’t Work?

Debian – How risky it is to have a personal server with ssh opened to the Internet

Related Question