Skip to content
All posts
SSH Security

What Is Credential Stuffing and How to Stop It

7 min read

Credential stuffing is not brute-force. In a brute-force attack, the attacker picks one username and tries thousands of passwords. In credential stuffing, the attacker has a list of stolen username/password pairs from a data breach and tries them all against your server, hoping some users reused their passwords.

The distinction matters because the detection logic is different. A brute-force detector counts failed attempts per username. A credential stuffing detector counts distinct usernames per source IP. Same IP, many different usernames, each tried once or twice. That is credential stuffing.

How credential stuffing works

Attackers buy or download credential dumps from data breaches. These lists contain millions of email/password combinations. The attacker feeds the list into an automated tool that connects to your SSH server and tries each pair:

  • alice:P@ssw0rd123 - fail
  • bob:Summer2024! - fail
  • carlos:qwerty456 - fail
  • admin:Welcome1 - success

One success out of thousands is enough. The attacker now has a valid shell on your server. If that user has sudo access, the compromise is complete.

Why brute-force detectors miss it

A typical brute-force detector (including fail2ban) counts failed login attempts per IP. If the threshold is 5 failures, the attacker needs 5 failures from the same IP to get banned.

Credential stuffing is smarter. The attacker tries one or two passwords per username, then moves to the next. Each individual username sees only one failure. The brute-force detector never triggers because no single username exceeds the threshold. The attacker can try hundreds of credentials before getting noticed.

How Inner Warden detects credential stuffing

Inner Warden's credential_stuffing detector uses a different metric: the number of distinct usernames attempted from a single source IP. This catches the pattern that brute-force detectors miss.

Detection methodDistinct usernames per source IP
Threshold5+ distinct usernames from same IP
Window300 seconds (5 minutes)
ResponseFirewall block + AbuseIPDB report

Real example from production

The IP 203.0.113.204 attempted logins with 23 different usernames in 2 minutes. Each username was tried exactly once. A brute-force detector would not have triggered. Inner Warden caught it:

detect23 distinct usernames from 203.0.113.204 in 118 seconds
enrichAbuseIPDB confidence: 100% | GeoIP: Choopa, US
decideAI confidence 0.96 | credential stuffing confirmed
blockFirewall deny rule | TTL 24h | AbuseIPDB report: category credential stuffing

Set it up

Credential stuffing detection is enabled by default when Inner Warden reads auth logs. Install and enable blocking:

Install
curl -fsSL https://innerwarden.com/install | sudo bash
Enable blocking
innerwarden enable block-ip

Both the ssh_bruteforce and credential_stuffing detectors run simultaneously. They catch different patterns from the same log source, giving you coverage against both attack types.

What to do next

  • SSH brute-force detection - the complementary detector that catches password-spray attacks against single usernames.
  • SSH honeypot setup - capture what attackers do after a successful credential stuffing attempt.
  • Sudo abuse monitoring - if credential stuffing succeeds, the attacker's next move is privilege escalation. Detect that too.