Detection of SSH Brute Force Attacks Based on System Logs in Debian 12
DOI:
https://doi.org/10.55537/cosie.v5i3.1767Keywords:
Brute Force, Debian 12, Forensik Log, Journalctl, SSHAbstract
The Secure Shell (SSH) service on Linux servers is frequently targeted by brute-force attacks. This study aims to outline the characteristics of authentication logs generated when the Debian 12 operating system faces such attacks. An experimental method was applied within a local network using a Debian 12 server as the target and Kali Linux as the attacker, with Hydra utilized as the tool to execute the attack. The experiments were conducted across three scenarios based on the volume of attack attempts: 10, 100, and 500 login attempts, while the Fail2Ban service was deactivated. Data analysis was performed quantitatively and descriptively, using Success Rate and Failed Login Rate metrics derived from records in journalctl and auth.log. The test results indicate that a higher attack volume corresponds to a larger amount of generated logs. In a scenario involving a success rate of 0.2%, only 1 password was accepted. The study also identified limitations in OpenSSH sessions (reaching the maximum authentication attempt limit), though Hydra was able to initiate new sessions automatically. Therefore, the system records detailed abnormalities without data loss, making it highly suitable as a primary foundation for server security audits
Downloads
References
[1] A. A. Hamza and J. s urayh Al-Janabi, “Detecting Brute Force Attacks on SSH and FTP Protocol Using Machine Learning: A Survey,” J. Al-Qadisiyah Comput. Sci. Math., vol. 16, no. 1, pp. 21–31, Mar. 2024, doi: 10.29304/jqcsm.2024.16.11432.
[2] R. Mukherjee, “irpSSHa: Identifying and Reporting SSH Brute Force Attackers,” Nov. 29, 2024, Social Science Research Network, Rochester, NY: 5038715. doi: 10.2139/ssrn.5038715.
[3] “Brute-force attack mitigation on remote access services via software-defined perimeter | Scientific Reports.” Accessed: Jun. 21, 2026. [Online]. Available: https://www.nature.com/articles/s41598-025-01080-5
[4] F. Bäumer, M. Brinkmann, and J. Schwenk, “Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation,” May 07, 2024, arXiv: arXiv:2312.12422. doi: 10.48550/arXiv.2312.12422.
[5] F. Bäumer, M. Maehren, M. Brinkmann, and J. Schwenk, “Finding SSH Strict Key Exchange Violations by State Learning,” in Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, Nov. 2025, pp. 246–260. doi: 10.1145/3719027.3765208.
[6] A. A. Prasetyo, Herianto, Yahya, and N. Syamsiyah, “Detection of SSH Brute Force Attacks Using Naïve Bayes Classification on Cowrie Honeypot Logs in a Virtualized Environment,” J. Technol. Inf. Data Anal., vol. 2, no. 1, pp. 62–65, Jun. 2025, doi: 10.70491/tifda.v2i1.88.
[7] P. Balqis and R. Rahman, “Analisis Keamanan Layanan SSH terhadap Brute Force Attack,” Merkurius J. Ris. Sist. Inf. Dan Tek. Inform., vol. 3, no. 4, pp. 240–246, Jul. 2025, doi: 10.61132/merkurius.v3i4.949.
[8] O. P. Nanlohy and A. Faizin, “IMPLEMENTASI HONEYPOT UNTUK MENDETEKSI SERANGAN BRUTE FORCE PADA LAYANAN SSH,” JATI J. Mhs. Tek. Inform., vol. 9, no. 6, pp. 9454–9457, Nov. 2025, doi: 10.36040/jati.v9i6.15590.
[9] A. Nursetyo, B. Sugiarto, K. Kusnadi, S. M. Saleh, and B. A. Umam, “Pengujian Fail2Ban sebagai Mekanisme Pertahanan terhadap Serangan Brute Force,” J. Media Inform., vol. 7, no. 1, pp. 335–343, Feb. 2026, doi: 10.55338/jumin.v7i1.7891.
[10] A. Ardiansyah, A. A. M. Suradi, and W. Saputra, “Strategi Keamanan Router MikroTik: Deteksi dan Mitigasi Serangan Brute Force Berbasis Scripting,” JUKI J. Komput. Dan Inform., vol. 7, no. 1, pp. 12–19, May 2025, doi: 10.53842/juki.v7i1.970.
[11] M. R. M. Ridho, A. Hafizh, I. Dani, and T. Ariyadi, “Peningkatan Keamanan SSH Server Berbasis Linux melalui Implementasi Fail2Ban dan Uji Serangan Brute Force,” J. Penelit. Multidisiplin Bangsa, vol. 1, no. 12, pp. 2206–2214, May 2025, doi: 10.59837/jpnmb.v1i12.431.
[12] L. M. Sinaga and P. B. N. Simangunsong, “Analisis Keamanan SSH dengan Menggunakan Algoritma ECDSA pada Server Debian,” J. Multimed. Dan Teknol. Inf. Jatilima, vol. 7, no. 5, pp. 1039–1049, Feb. 2026, doi: 10.54209/jatilima.v7i5.2146.
[13] T. Jeremya, A. Lombu, L. Daeli, and S. Bulolo, “Implementasi dan Analisis Keamanan Layanan SSH Server Menggunakan Autentikasi RSA dalam Lingkungan Virtualisasi dan Putty,” JITKO J. Inov. Teknol. Dan Komput., vol. 3, no. 1, pp. 33–45, Sep. 2025, doi: 10.54209/jitko.v3i1.143.
[14] A. B. Simbolon, D. Kiswanto, D. Siregar, and A. S. L. Gaol, “RANCANG BANGUN SISTEM ANALISIS LOG JARINGAN BERBASIS WEB UNTUK DETEKSI REAL-TIME ANCAMAN CANGGIH DAN GERAKAN LATERAL,” J. Inform. Dan Tek. Elektro Terap., vol. 14, no. 1, Jan. 2026, doi: 10.23960/jitet.v14i1.8219.
[15] “Pattern-and Similarity-Based Realtime Risk Monitoring of SSH Brute Force Attacks with Bloom Filters,” ResearchGate. Accessed: Jun. 21, 2026. [Online]. Available: https://www.researchgate.net/publication/385807996_Pattern-and_Similarity-Based_Realtime_Risk_Monitoring_of_SSH_Brute_Force_Attacks_with_Bloom_Filters
[16] A. Satpute, S. Nikam, V. Gaikwad, Y. Kakade, and C. Mhaske, “AI-Driven Intrusion Detection System Using SSH Honeypots,” ICCK Trans. Cybersecurity, vol. 1, no. 1, pp. 3–12, Aug. 2025, doi: 10.62762/TC.2025.521799.
[17] J. Zhou, J. Yao, X. Chen, S. Yu, Q. Xuan, and X. Yang, “Lateral Movement Detection via Time-aware Subgraph Classification on Authentication Logs,” Nov. 15, 2024, arXiv: arXiv:2411.10279. doi: 10.48550/arXiv.2411.10279.
[18] “Implementasi port knocking dinamis berbasis waktu pada router untuk pengamanan akses SSH | IT-Explore: Jurnal Penerapan Teknologi Informasi dan Komunikasi.” Accessed: Jun. 21, 2026. [Online]. Available: https://ejournal.uksw.edu/itexplore/article/view/14448
[19] “Brute Force Attack | OWASP Foundation.” Accessed: Jun. 21, 2026. [Online]. Available: https://owasp.org/www-community/attacks/Brute_force_attack
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Serliana Barutu, Rasit Junaedi Silalahi, Lotar Mateus Sinaga

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.



