SSH brute force attempts are a constant threat in today's internet landscape. Every server exposed to the internet with port 22 open will eventually show entries like this in auth.log:
Sep 7 13:03:45 server sshd[14674]: Failed password for root from 116.31.116.42 port 13423 ssh2
Let's examine comprehensive protection strategies beyond just changing the SSH port.
First, edit your /etc/ssh/sshd_config with these critical settings:
# Disable root login PermitRootLogin no # Restrict authentication methods PasswordAuthentication no PubkeyAuthentication yes # Limit user access AllowUsers your_username AllowGroups ssh-users # Connection settings MaxAuthTries 3 LoginGraceTime 60 ClientAliveInterval 300
Fail2Ban dynamically blocks IPs after repeated failures. Install and configure:
sudo apt install fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then modify the SSH section in jail.local:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 86400 findtime = 3600
For additional security, implement TOTP authentication:
sudo apt install libpam-google-authenticator google-authenticator
Add to /etc/pam.d/sshd:
auth required pam_google_authenticator.so
Update sshd_config:
ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive
Consider these additional measures:
# IPTables rule limiting connections iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
For cloud environments, use security groups to restrict source IPs when possible.
Set up automated monitoring for suspicious activity:
# Simple log watcher script #!/bin/bash tail -n 0 -f /var/log/auth.log | grep --line-buffered "Failed password" | while read line do echo "$(date) - SSH failed attempt: $line" >> /var/log/ssh_monitor.log # Add your alerting logic here done
Combine with tools like OSSEC for comprehensive intrusion detection.
Brute force attacks against SSH servers are among the most common security threats in server administration. Attackers typically use automated scripts to try thousands of username/password combinations, especially targeting the root account. The auth.log entries show classic patterns:
Sep 7 13:03:45 virt01 sshd[14674]: Failed password for root from 116.31.116.42 port 13423 ssh2
Sep 7 13:03:52 virt01 sshd[14674]: message repeated 2 times: [ Failed password for root from 116.31.116.42 port 13423 ssh2]First, implement these essential SSH security measures in /etc/ssh/sshd_config:
# Disable root login
PermitRootLogin no
# Limit user access
AllowUsers your_username
AllowGroups ssh-users
# Change default port
Port 2222
# Enable key authentication
PasswordAuthentication no
PubkeyAuthentication yesInstall and configure Fail2Ban to automatically block malicious IPs:
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localConfigure the SSH protection in /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
findtime = 600Generate SSH keys on your local machine:
ssh-keygen -t ed25519 -a 100
ssh-copy-id -p 2222 your_username@server_ipVerify the key works before disabling passwords:
ssh -p 2222 -i ~/.ssh/id_ed25519 your_username@server_ipSet up regular log monitoring with tools like:
# Install logwatch
sudo apt install logwatch
# Check recent failed attempts
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nrConsider implementing these additional security layers:
- Two-factor authentication with Google Authenticator
- Port knocking for additional obscurity
- GeoIP filtering for known attack regions