Check SSH Passwords: Hacked Server Risk

TL;DR

You’ve got a list of passwords and suspect they might be from hacked servers. This guide shows you how to quickly check if those passwords have been compromised using online tools, password breach databases, and your own server logs.

Checking SSH Passwords for Compromise

1. Understand the Risk: If these passwords are weak or reused, they could be used to access other accounts. Even strong passwords can be compromised if a service you use is hacked.
2. Online Password Checkers (Have I Been Pwned): The easiest first step is using websites like Have I Been Pwned. This site aggregates data from many known breaches.
   • Go to the Have I Been Pwned website.
   • Use the ‘Paste Passwords’ option (be aware of privacy implications – see notes at the end). This lets you check multiple passwords at once.
   • The site will tell you if any of your passwords appear in known breaches.
3. Password Breach Databases: Several websites maintain lists of compromised credentials.
   • Dehashed: Dehashed is a paid service, but offers more comprehensive data and search options than free tools. It’s useful if Have I Been Pwned doesn’t find anything.
   • Breached Passwords: Breached Passwords is a free resource, but the database may not be as up-to-date.
4. Check Your Server Logs (Important!): Even if passwords haven’t been *publicly* reported in breaches, your servers might show signs of compromise.
   • Log Location: SSH logs are usually found in /var/log/auth.log or /var/log/secure (location varies by Linux distribution).
   • Look for Failed Login Attempts: A large number of failed login attempts from the same IP address is a red flag.

     grep "Failed password" /var/log/auth.log | tail -n 20

   • Successful Logins After Failures: Check for successful logins immediately after failed attempts – this could indicate brute-force attacks.

     grep "Accepted password" /var/log/auth.log | tail -n 20

   • Unusual Login Times: Look for logins at times when no one should be accessing the server.
5. Check `last` command output: The `last` command shows a history of user logins.

   last -n 20

   Look for unexpected usernames or IP addresses.

6. Review `.ssh/authorized_keys` (If applicable): If you use SSH keys, check the ~/.ssh/authorized_keys file for any unauthorized public keys. Remove any unfamiliar entries immediately.
7. Password Complexity Check: Use a tool to assess password strength.
   • pwscore (Linux): Install pwscore using your distribution’s package manager (e.g., apt install pwscore on Debian/Ubuntu). Then run it against the passwords.

     echo "yourpassword" | pwscore

8. Consider Password Rotation: If you find compromised passwords, *immediately* rotate them. This means changing them to new, strong passwords.
9. Enable Two-Factor Authentication (2FA): 2FA adds an extra layer of security, making it much harder for attackers to gain access even if they have a password.

Important Notes:

• Privacy: Be cautious when pasting passwords into online checkers. While Have I Been Pwned claims not to store the passwords, it’s always best to minimise risk. Consider testing one password at a time if you’re concerned.
• False Positives: Online checkers aren’t perfect and may sometimes give false positives. Always investigate further before taking action.
• Server Security Basics: Ensure your servers are running the latest security updates, have firewalls enabled, and unnecessary services are disabled.