How to Block All Root SSH Login Attempts with Fail2Ban/DenyHosts: IP Banning for Unauthorized Access


29 views

While disabling root SSH login via PermitRootLogin no in /etc/ssh/sshd_config is standard practice, malicious bots continuously probe servers with root login attempts. Blocking these IPs at the firewall level provides additional security through defense in depth.

For Fail2Ban, create a custom filter to catch root login attempts even when they're rejected:

# /etc/fail2ban/filter.d/sshd-root.conf
[Definition]
failregex = ^%(__prefix_line)s(?:Illegal|Invalid) user root from <HOST>
ignoreregex =

Then configure the jail:

# /etc/fail2ban/jail.d/sshd-root.conf
[sshd-root]
enabled  = true
filter   = sshd-root
port     = ssh
logpath  = %(sshd_log)s
maxretry = 1
bantime  = 48h

DenyHosts can be configured to watch for root login attempts in /etc/denyhosts.conf:

SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1w
BLOCK_SERVICE = sshd
DENY_THRESHOLD_ROOT = 1
ADMIN_EMAIL = you@example.com

After implementation, test the blocking by:

  1. Restarting services: systemctl restart fail2ban denyhosts
  2. Checking status: fail2ban-client status sshd-root
  3. Monitoring logs: tail -f /var/log/fail2ban.log

For cloud environments, consider these additional measures:

  • Integration with cloud provider security groups
  • Using TCP wrappers with /etc/hosts.deny
  • Combining with port knocking for sensitive servers

Even with PermitRootLogin no in your sshd_config, attackers keep hammering your server with root login attempts. While these attempts fail, they still consume resources and clutter logs. Here's how to automatically blacklist these offenders.

DenyHosts can be configured to watch for root login attempts in auth.log:

# /etc/denyhosts.conf
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE = sshd
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
DENY_THRESHOLD_INVALID = 1

Key configuration points:

  • DENY_THRESHOLD_ROOT = 1 blocks after single root attempt
  • Consider adding ADMIN_EMAIL for notifications
  • Restart service: sudo systemctl restart denyhosts

For Fail2Ban, create a custom jail:

# /etc/fail2ban/jail.d/ssh-root.conf
[ssh-root]
enabled  = true
filter   = sshd
port     = ssh
logpath  = %(sshd_log)s
maxretry = 1
findtime = 3600
bantime  = 86400

Then create a custom filter:

# /etc/fail2ban/filter.d/ssh-root.conf
[Definition]
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed password for root from <HOST>.*$
ignoreregex =

Test your configuration with:

sudo fail2ban-client status ssh-root
sudo denyhosts --test=debug

To manually test, attempt a root login from another machine and check logs:

tail -f /var/log/auth.log | grep -i "root"
  • Change SSH port: Port 2222 in sshd_config
  • Use key authentication only: PasswordAuthentication no
  • Implement rate limiting: MaxAuthTries 3

Check your blacklists regularly:

sudo fail2ban-client status
sudo cat /etc/hosts.deny

Consider setting up logrotate for auth.log to prevent disk space issues from excessive brute force attempts.