Effective Strategies to Mitigate SSH Brute Force Attacks on Ubuntu Servers


12 views

When locked out due to SSH brute force attacks, you have several emergency access options:

# Option 1: Use console access provided by your datacenter
# Most providers offer web-based console access (KVM/IPMI)
# Example for Hetzner:
# https://robot.your-server.de/server

# Option 2: Temporarily change SSH port via provider's rescue system
mount /dev/sda1 /mnt
nano /mnt/etc/ssh/sshd_config
# Change Port 22 to alternative (e.g., 2222)
umount /mnt
reboot

Once you regain access, implement these security measures:

# 1. Disable password authentication
# /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

# 2. Install fail2ban for automatic blocking
sudo apt install fail2ban
sudo systemctl enable --now fail2ban

Combine iptables/nftables with fail2ban for comprehensive protection:

# Example nftables ruleset for SSH protection
#!/usr/sbin/nft -f

table inet ssh_protection {
    set bruteforce_clients {
        type ipv4_addr
        flags dynamic, timeout
        timeout 1h
    }

    chain input {
        type filter hook input priority 0;
        
        # Allow established connections
        ct state established,related accept
        
        # SSH rate limiting
        tcp dport 22 ct state new \
            meter ssh-meter { ip saddr limit rate 5/minute burst 10 packets } \
            accept
        
        tcp dport 22 ct state new \
            add @bruteforce_clients { ip saddr timeout 1h } \
            drop
    }
}

Implement real-time monitoring with these tools:

# Custom fail2ban filter for SSH
# /etc/fail2ban/filter.d/custom-ssh.conf
[Definition]
failregex = ^%(__prefix_line)s(?:Failed|Invalid) \w+ for (?:invalid user )?.* from  port \d+ \w+$
ignoreregex =

# Monitor logins with pam_exec
# /etc/pam.d/sshd
auth required pam_exec.so /usr/local/bin/login-notify.sh

Consider implementing multi-factor authentication:

# Google Authenticator setup
sudo apt install libpam-google-authenticator
google-authenticator

# Add to /etc/pam.d/sshd:
auth required pam_google_authenticator.so

# Add to /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

For long-term security:

# Set up port knocking
sudo apt install knockd

# Configuration example (/etc/knockd.conf):
[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

What you're experiencing is a classic SSH brute force attack where automated scripts attempt thousands of login combinations. Your auth.log shows clear patterns:

May 13 10:01:27 rs204941 sshd[9351]: Failed password for invalid user student from 112.220.198.102 port 39806 ssh2
May 13 10:01:31 rs204941 sshd[9353]: Invalid user tech from 112.220.198.102

First, let's get you back in control:

  1. Use your hosting provider's console: Most VPS providers offer web-based console access (like Hetzner's Rescue System or DigitalOcean's Recovery Console)
  2. Temporary IP restriction: If you can access Plesk's admin interface, add a firewall rule to only allow your IP

Once you regain access, implement these changes to /etc/ssh/sshd_config immediately:

# Change default port
Port 22222

# Disable root login
PermitRootLogin no

# Allow specific users only
AllowUsers yourusername adminuser

# Enable fail2ban
UsePAM yes

Restart SSH: sudo systemctl restart sshd

1. Install and configure fail2ban:

sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 22222
filter = sshd
maxretry = 3
bantime = 1h
findtime = 10m

2. Key-based authentication (recommended):

# On your local machine:
ssh-keygen -t ed25519
ssh-copy-id -p 22222 yourusername@yourserver

# Then disable password auth in sshd_config:
PasswordAuthentication no

For enterprise-grade security:

# Rate limiting with iptables
sudo iptables -A INPUT -p tcp --dport 22222 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

# Make persistent
sudo apt install iptables-persistent
sudo netfilter-persistent save

Set up log monitoring with these commands:

# Real-time monitoring
tail -f /var/log/auth.log | grep "Failed password"

# Daily summary report
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr

Consider tools like OSSEC or Wazuh for comprehensive security monitoring.

Since you're using Plesk:

  1. Check "Tools & Settings" → "IP Address Banning"
  2. Review "Security" → "SSH Access" settings
  3. Enable Plesk's built-in fail2ban integration