How to Fix “Too Many Authentication Failures for User root” SSH Error and Restore Access


2 views

When attempting SSH connections as root using PuTTY, you might encounter the "Server unexpectedly closed network connection" error after multiple failed authentication attempts. This typically occurs due to security mechanisms in SSH servers that temporarily block access after repeated failed login attempts - even if you eventually enter the correct credentials.

Many administrators first try restarting the sshd service, but this often fails because:

  • Modern Linux systems use fail2ban or pam_tally2 for persistent tracking of failed attempts
  • The blocking mechanism may be implemented at the PAM (Pluggable Authentication Modules) level
  • Some distributions maintain failure counts across service restarts

Here are three effective ways to regain access:

1. Reset Failed Attempt Counters

For systems using pam_tally2:

# Reset counters for root user
sudo pam_tally2 --user=root --reset

# Verify the reset
sudo pam_tally2 --user=root

For systems using faillock (common in newer distributions):

# Reset root's failed attempts
sudo faillock --user root --reset

2. Temporarily Disable Rate Limiting

Edit your SSH server configuration:

sudo nano /etc/ssh/sshd_config

Add or modify these lines:

MaxAuthTries 10
MaxSessions 20
LoginGraceTime 2m

Then restart sshd:

sudo systemctl restart sshd

3. Alternative Access Methods

If you can't immediately reset counters:

  • Use console access (physical or virtual)
  • SSH as a different user with sudo privileges
  • Use a previously established session if available

Implement these best practices:

Use SSH Keys Instead of Passwords

Generate a key pair:

ssh-keygen -t ed25519

Copy the public key to the server:

ssh-copy-id root@your_server

Configure Fail2Ban Properly

Example jail.local configuration:

[sshd]
enabled = true
maxretry = 5
findtime = 1h
bantime = 1d
ignoreip = 127.0.0.1/8 ::1

Implement Multi-Factor Authentication

Combine SSH keys with TOTP for additional security:

# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator

# Configure it for SSH
google-authenticator

When troubleshooting SSH issues:

# Check auth logs in real-time
sudo tail -f /var/log/auth.log

# Enable verbose SSH output
ssh -vvv root@your_server

Remember that security mechanisms like these exist for good reason. While they can be temporarily frustrating when you're locked out, they're essential for protecting your systems from brute force attacks.

When attempting SSH connections as root using PuTTY, you might encounter a sudden connection closure after multiple failed authentication attempts - even when providing correct credentials later. The server-side actually blocks further attempts due to security measures, though PuTTY may show a generic "Server unexpectedly closed network connection" message.

Most Linux systems implement MaxAuthTries in sshd_config (default often 6). After exceeding this limit, the server temporarily blocks authentication attempts for that user from that IP. This is different from PermitRootLogin restrictions.


# Check current MaxAuthTries setting
grep MaxAuthTries /etc/ssh/sshd_config
# Typical output if not explicitly set:
# #MaxAuthTries 6

Option 1: Wait for the temporary block to expire
The default failure counter reset time varies by distro (often 10-30 minutes). Simply waiting usually resolves it.

Option 2: Connect from a different IP
If you have network access from another IP, the restriction is IP-specific:


ssh -v root@host # Use verbose mode to see authentication attempts

To modify this behavior (for testing environments only - not recommended for production):


# Edit sshd_config
sudo nano /etc/ssh/sshd_config

# Add or modify these lines:
MaxAuthTries 10
MaxSessions 20
LoginGraceTime 2m

# Then restart sshd
sudo systemctl restart sshd

For production systems, consider these more secure approaches:


# 1. Use SSH keys instead of password
ssh-keygen -t ed25519
ssh-copy-id root@host

# 2. Jump through a non-root user first
ssh admin@host
then sudo -i

Check auth logs to confirm if it's truly an authentication failure issue:


# On the server:
sudo tail -f /var/log/auth.log
# Or on RHEL/CentOS:
sudo tail -f /var/log/secure

Look for lines containing "error: maximum authentication attempts exceeded" or "Connection closed by authenticating user root".

For Windows users, PuTTY may cache credentials incorrectly. Try:

  1. Completely close all PuTTY instances
  2. Delete cached sessions in Pageant
  3. Clear the Windows credential manager entries for SSH