The attacks are often automated and hardly noticeable — frequently occurring in very short intervals, even before anyone notices the incident. A particularly frequently exploited gateway is the SSH service: The protocol itself is intended for secure administration, but exposed or poorly configured SSH servers are routinely attacked by scanners and attackers on the internet. Without additional protective measures (e.g., key-based authentication, access restrictions, rate limiting), repeated automated login attempts can quickly lead to compromises.
SSH (Secure Shell) is an indispensable tool for system administrators to ensure secure access to network services. However, if SSH services are improperly configured or exposed to the internet, they can quickly become a target for cybercriminals. A recent case impressively demonstrates how critical such vulnerabilities can be – and why companies should urgently take preventive measures.
Summary of the incident
The recent incident at a medium-sized company in the housing industry illustrates how quickly a routine tool can become a massive security risk – and why it is high time to consistently secure SSH connections.
We detected unusual SSH connection attempts from an external IP address (Microsoft IP) to several internal servers at a customer’s site. The connections were established via port 22 (standard SSH port), and failed login attempts for the administrator user were recorded. Among others, servers of a SharePoint infrastructure and other critical systems were affected.
Analysis of the threat
- Pattern of attacks: Multiple SSH connection attempts from the same source within a short period of time indicate automated scans or brute force attacks. The failed logins for highly privileged users (e.g., “Administrator”) show that the attacker specifically attempted to gain access.
- Exposure of sensitive systems: The affected servers were part of an infrastructure used for critical business processes. A successful compromise would have had far-reaching consequences, including data loss, reputational damage, and potential compliance violations.
- Technological vulnerabilities: The use of the standard SSH port (22) and the exposure of services over the internet without additional security measures (e.g., whitelisting, MFA) made the systems particularly vulnerable.
Potential impact on the company
- Data exfiltration: An attacker could have accessed sensitive company data.
- Lateral movement: With access to one server, the attack could be extended to other systems.
- Service interruption: Compromise could lead to disruption of critical applications.
- Reputational risk: A security incident could jeopardize the trust of customers and partners.
Recommended actions for companies
Minimize and secure SSH services
- Port change: Use non-standard ports for SSH services to make automated scans more difficult.
- Whitelisting: Only allow authorized IPs to access the SSH port.
- Firewall rules: Block all incoming connections except those from trusted sources.
Implement two-factor authentication (MFA)
- Use MFA for SSH logins to maintain protection even if passwords are compromised.
Perform regular audits
- Regularly check which systems are accessible via the internet and eliminate unnecessary exposure.
- Analyze log files for suspicious activity (e.g., repeated login attempts).
Strengthen monitoring and SOC cooperation
- Use real-time monitoring of network traffic.
- Work closely with an experienced SOC to detect and resolve incidents early.
Establish contingency plans
- Define clear processes for responding to security incidents (e.g., shutting down systems, notifying stakeholders).
Conclusion
The detection of SSH attacks from the internet is a clear indication of the need for proactive IT security. Companies should not rely on reactive measures, but instead systematically secure their infrastructure against such attacks. Technical prevention, continuous monitoring, and collaboration with a SOC can effectively ward off critical threats—before they cause real damage.
Tip: Consult with an experienced SOC partner to optimize your security strategy and protect yourself against modern threats.