Brute-force attacks on Secure Shell (SSH) have existed for over a decade, yet they remain one of the most common and dangerous attack vectors on Linux systems today. In 2025, attackers are not guessing passwords manually; they are using automated botnets that scan and break into thousands of servers at a time with industrial speed.

One example is the recently discovered PumaBot, a botnet written in Go and designed specifically to infect Linux-based devices, including cloud virtual machines (VMs), personal servers, and even embedded systems. PumaBot uses SSH brute-force techniques to compromise devices and then links them together in a wider network, giving attackers access to computing power, storage, and Internet bandwidth for malicious purposes.

The botnet targets devices with open SSH ports and either weak or default credentials. Once a device is compromised, it can be used to launch further attacks, mine cryptocurrency, exfiltrate data, or deliver malware. With many people still using password-based logins for SSH, PumaBot and similar tools continue to succeed.

Prime Target

SSH is the standard protocol for remote Linux access. It allows users to log in securely, execute commands, transfer files, and perform administrative tasks. Unfortunately, that same power makes it a top target for cybercriminals.

Many default Linux server installations come with SSH enabled on port  22 and password authentication allowed. In most cloud environments, unless users proactively change the default configuration, SSH is the only open port and the only way into the system.

Automated bots constantly scan IP ranges for port 22. Once found, they launch brute-force attacks, cycling through large dictionaries of common usernames and passwords. These lists include combinations such as

root/toor
admin/admin123
test/123456
user/password

Even a short delay in hardening SSH can be costly. On many virtual private server (VPS) providers, brute-force login attempts start within minutes of a machine coming online. If you're using a weak password or a common username, your system can be compromised within hours or even minutes.

Some attackers don't even need to guess a password. They rely on users failing to change default credentials, such as pi/raspberry on a Raspberry Pi or ubnt/ubnt on a Ubiquiti device. If a bot finds that open door, it walks right in.

Types of SSH Brute-Force Attacks

Brute-force attacks generally fall into two categories:

• Dictionary Attacks: These use precompiled lists of common credentials and cycle through them rapidly. This is the most common form and is often used by bots scanning thousands of servers at once.
• Targeted Brute Force: In some cases, attackers research specific systems or users and attempt more customized password guessing based on public information, previous data breaches, or social engineering.

Regardless of the type, the end goal is the same: unauthorized access to your machine. And once inside, attackers rarely stop at just looking around; they escalate privileges, modify files, or install persistent malware.

How to Spot a Brute-Force Attempt

Most brute-force attacks leave behind clear traces in the system logs. On Debian-based systems (including Ubuntu), you can use the following command to monitor SSH logins in real time:

sudo tail -f /var/log/auth.log

Look for repeated failed login attempts, especially from the same IP address or a variety of IPs in a short time. These logs often include messages like

Failed password for invalid user root from 203.0.113.55 port 51234 ssh2

or

Connection closed by authenticating user admin 198.51.100.27 port 60234 [preauth]

Figure 1 shows an example of what such an attack might look like in your log.

Figure 1: Repeated SSH login failures from multiple IPs in the auth.log file are a clear sign of brute-force activity.

While many attacks fail, it's only a matter of time before one succeeds, especially if your system uses weak authentication. The best strategy is to prevent these attacks from even starting.