Detection of SSH Brute Force Attacks Based on System Logs in Debian 12

Authors

  • Serliana Barutu Universitas Katolik Santo Thomas
  • Rasit Junaedi Silalahi Universitas Katolik Santo Thomas
  • Lotar Mateus Sinaga

DOI:

https://doi.org/10.55537/cosie.v5i3.1767

Keywords:

Brute Force, Debian 12, Forensik Log, Journalctl, SSH

Abstract

The Secure Shell (SSH) service on Linux servers is frequently targeted by brute-force attacks. This study aims to outline the characteristics of authentication logs generated when the Debian 12 operating system faces such attacks. An experimental method was applied within a local network using a Debian 12 server as the target and Kali Linux as the attacker, with Hydra utilized as the tool to execute the attack. The experiments were conducted across three scenarios based on the volume of attack attempts: 10, 100, and 500 login attempts, while the Fail2Ban service was deactivated. Data analysis was performed quantitatively and descriptively, using Success Rate and Failed Login Rate metrics derived from records in journalctl and auth.log. The test results indicate that a higher attack volume corresponds to a larger amount of generated logs. In a scenario involving a success rate of 0.2%, only 1 password was accepted. The study also identified limitations in OpenSSH sessions (reaching the maximum authentication attempt limit), though Hydra was able to initiate new sessions automatically. Therefore, the system records detailed abnormalities without data loss, making it highly suitable as a primary foundation for server security audits

Downloads

Download data is not yet available.

References

[1] A. A. Hamza and J. s urayh Al-Janabi, “Detecting Brute Force Attacks on SSH and FTP Protocol Using Machine Learning: A Survey,” J. Al-Qadisiyah Comput. Sci. Math., vol. 16, no. 1, pp. 21–31, Mar. 2024, doi: 10.29304/jqcsm.2024.16.11432.

[2] R. Mukherjee, “irpSSHa: Identifying and Reporting SSH Brute Force Attackers,” Nov. 29, 2024, Social Science Research Network, Rochester, NY: 5038715. doi: 10.2139/ssrn.5038715.

[3] “Brute-force attack mitigation on remote access services via software-defined perimeter | Scientific Reports.” Accessed: Jun. 21, 2026. [Online]. Available: https://www.nature.com/articles/s41598-025-01080-5

[4] F. Bäumer, M. Brinkmann, and J. Schwenk, “Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation,” May 07, 2024, arXiv: arXiv:2312.12422. doi: 10.48550/arXiv.2312.12422.

[5] F. Bäumer, M. Maehren, M. Brinkmann, and J. Schwenk, “Finding SSH Strict Key Exchange Violations by State Learning,” in Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, Nov. 2025, pp. 246–260. doi: 10.1145/3719027.3765208.

[6] A. A. Prasetyo, Herianto, Yahya, and N. Syamsiyah, “Detection of SSH Brute Force Attacks Using Naïve Bayes Classification on Cowrie Honeypot Logs in a Virtualized Environment,” J. Technol. Inf. Data Anal., vol. 2, no. 1, pp. 62–65, Jun. 2025, doi: 10.70491/tifda.v2i1.88.

[7] P. Balqis and R. Rahman, “Analisis Keamanan Layanan SSH terhadap Brute Force Attack,” Merkurius J. Ris. Sist. Inf. Dan Tek. Inform., vol. 3, no. 4, pp. 240–246, Jul. 2025, doi: 10.61132/merkurius.v3i4.949.

[8] O. P. Nanlohy and A. Faizin, “IMPLEMENTASI HONEYPOT UNTUK MENDETEKSI SERANGAN BRUTE FORCE PADA LAYANAN SSH,” JATI J. Mhs. Tek. Inform., vol. 9, no. 6, pp. 9454–9457, Nov. 2025, doi: 10.36040/jati.v9i6.15590.

[9] A. Nursetyo, B. Sugiarto, K. Kusnadi, S. M. Saleh, and B. A. Umam, “Pengujian Fail2Ban sebagai Mekanisme Pertahanan terhadap Serangan Brute Force,” J. Media Inform., vol. 7, no. 1, pp. 335–343, Feb. 2026, doi: 10.55338/jumin.v7i1.7891.

[10] A. Ardiansyah, A. A. M. Suradi, and W. Saputra, “Strategi Keamanan Router MikroTik: Deteksi dan Mitigasi Serangan Brute Force Berbasis Scripting,” JUKI J. Komput. Dan Inform., vol. 7, no. 1, pp. 12–19, May 2025, doi: 10.53842/juki.v7i1.970.

[11] M. R. M. Ridho, A. Hafizh, I. Dani, and T. Ariyadi, “Peningkatan Keamanan SSH Server Berbasis Linux melalui Implementasi Fail2Ban dan Uji Serangan Brute Force,” J. Penelit. Multidisiplin Bangsa, vol. 1, no. 12, pp. 2206–2214, May 2025, doi: 10.59837/jpnmb.v1i12.431.

[12] L. M. Sinaga and P. B. N. Simangunsong, “Analisis Keamanan SSH dengan Menggunakan Algoritma ECDSA pada Server Debian,” J. Multimed. Dan Teknol. Inf. Jatilima, vol. 7, no. 5, pp. 1039–1049, Feb. 2026, doi: 10.54209/jatilima.v7i5.2146.

[13] T. Jeremya, A. Lombu, L. Daeli, and S. Bulolo, “Implementasi dan Analisis Keamanan Layanan SSH Server Menggunakan Autentikasi RSA dalam Lingkungan Virtualisasi dan Putty,” JITKO J. Inov. Teknol. Dan Komput., vol. 3, no. 1, pp. 33–45, Sep. 2025, doi: 10.54209/jitko.v3i1.143.

[14] A. B. Simbolon, D. Kiswanto, D. Siregar, and A. S. L. Gaol, “RANCANG BANGUN SISTEM ANALISIS LOG JARINGAN BERBASIS WEB UNTUK DETEKSI REAL-TIME ANCAMAN CANGGIH DAN GERAKAN LATERAL,” J. Inform. Dan Tek. Elektro Terap., vol. 14, no. 1, Jan. 2026, doi: 10.23960/jitet.v14i1.8219.

[15] “Pattern-and Similarity-Based Realtime Risk Monitoring of SSH Brute Force Attacks with Bloom Filters,” ResearchGate. Accessed: Jun. 21, 2026. [Online]. Available: https://www.researchgate.net/publication/385807996_Pattern-and_Similarity-Based_Realtime_Risk_Monitoring_of_SSH_Brute_Force_Attacks_with_Bloom_Filters

[16] A. Satpute, S. Nikam, V. Gaikwad, Y. Kakade, and C. Mhaske, “AI-Driven Intrusion Detection System Using SSH Honeypots,” ICCK Trans. Cybersecurity, vol. 1, no. 1, pp. 3–12, Aug. 2025, doi: 10.62762/TC.2025.521799.

[17] J. Zhou, J. Yao, X. Chen, S. Yu, Q. Xuan, and X. Yang, “Lateral Movement Detection via Time-aware Subgraph Classification on Authentication Logs,” Nov. 15, 2024, arXiv: arXiv:2411.10279. doi: 10.48550/arXiv.2411.10279.

[18] “Implementasi port knocking dinamis berbasis waktu pada router untuk pengamanan akses SSH | IT-Explore: Jurnal Penerapan Teknologi Informasi dan Komunikasi.” Accessed: Jun. 21, 2026. [Online]. Available: https://ejournal.uksw.edu/itexplore/article/view/14448

[19] “Brute Force Attack | OWASP Foundation.” Accessed: Jun. 21, 2026. [Online]. Available: https://owasp.org/www-community/attacks/Brute_force_attack

Downloads

Published

13-07-2026

How to Cite

Barutu, S., Silalahi, R. J., & Sinaga, L. M. (2026). Detection of SSH Brute Force Attacks Based on System Logs in Debian 12. Journal of Computer Science and Informatics Engineering , 5(3), 325–337. https://doi.org/10.55537/cosie.v5i3.1767

Issue

Section

Articles