How to block SSH brute force attacks on Linux. Blocking SSH brute force attacks is essential for the security of any Linux server.
By combining the measures presented from changing the port, using SSH keys and installing Fail2Ban, to firewall restrictions and active monitoring, you can ensure that access to your server remains controlled and protected against external threats.
How to Block SSH Brute Force Attacks
Brute force attacks on the SSH service are among the most common threats faced by Linux servers exposed online.
These attacks involve repeated and automated authentication attempts using username and password combinations.
In this article, you will learn how to effectively protect your Linux server against these attempts through a series of methods and best practices.
1. Changing the Default SSH Port
The standard SSH port is 22. Changing it can significantly reduce the number of automated attacks.
sudo nano /etc/ssh/sshd_config
Modify the line:
Port 2222
Save the file and restart the service:
sudo systemctl restart ssh
2. Limiting Authentication Attempts with Fail2Ban
Fail2Ban monitors logs and temporarily blocks IPs that attempt repeated failed authentications.
Installation:
sudo apt install fail2ban -y
Simple Configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local
The SSH section should look like this:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 3600
Restart Service:
sudo systemctl restart fail2ban
3. Disabling Password Authentication
SSH key authentication is much more secure than passwords. After configuring the public key, disable password-based authentication:
sudo nano /etc/ssh/sshd_config
Modify or add the following lines:
PasswordAuthentication no PermitRootLogin no
Restart SSH:
sudo systemctl restart ssh
4. Restricting SSH Access to Specific IPs
For secure access, allow only trusted IPs:
sudo nano /etc/hosts.allow
Add:
sshd: 192.168.1.100
sudo nano /etc/hosts.deny
Add:
sshd: ALL
5. Using Firewall for Additional Restrictions
Using UFW (Uncomplicated Firewall):
sudo ufw allow 2222/tcp sudo ufw enable
Allow only specific IPs:
sudo ufw allow from 192.168.1.100 to any port 2222 proto tcp
6. Monitoring Authentication Logs
To detect brute force login attempts:
sudo grep "Failed password" /var/log/auth.log
Real-time viewing:
sudo tail -f /var/log/auth.log
7. Using Port Knocking (Advanced)
Port knocking is an advanced method to hide the SSH port and open it only after a specific series of “knocks” (connection requests) on certain ports.
It can be implemented using the knockd utility.
8. Limiting Connection Rate through iptables
Blocking repeated connections:
sudo iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set sudo iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Comments (0)