All posts

How to Block Brute-Force Attacks on SSH: Step by Step guide

By   ·  3 minute read

Brute-force attacks on SSH (Secure Shell) are a common method used by attackers to gain unauthorized access to servers. These attacks involve systematically trying a large number of username and password combinations until the correct credentials are found. Fortunately, several effective techniques and tools can prevent brute-force attacks and secure your server.

In this guide, we’ll cover step-by-step methods to block brute-force SSH attacks, including configuring fail2ban, using iptables, changing the default SSH port, enabling key-based authentication, and implementing advanced security measures.

download (4)

 

1. Change the Default SSH Port

By default, SSH listens on port 22, which makes it an easy target. Changing the port to a non-standard port reduces the likelihood of brute-force attempts.

Steps to Change SSH Port:

1. Open the SSH configuration file:
 

 sudo nano /etc/ssh/sshd_config

2. Locate the line

 #Port 22

3. Uncomment and change the port number to a high, unused port, e.g., 22000:

 Port 22000

4. Save and exit the file.

5. Restart the SSH service to apply changes:

 sudo systemctl restart sshd

6. Update firewall rules to allow traffic on the new port:

 sudo ufw allow 22000/tcp

2. Use Fail2ban to Prevent Brute-Force Attacks

Fail2ban is an intrusion prevention tool that monitors system logs and bans IP addresses exhibiting malicious behavior.

Install and Configure Fail2ban:

1. Install Fail2ban:
 

 sudo apt update

 sudo apt install fail2ban -y


2. Copy the default configuration file:
 

 sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


3. Open the jail.local file to configure SSH rules:
 

 sudo nano /etc/fail2ban/jail.local


4. Locate the [sshd] section and modify as follows:
 

 [sshd]
 enabled = true
 port = 22000
 filter = sshd
 logpath = /var/log/auth.log
 maxretry = 5
 bantime = 600
 findtime = 300


5.
 

 maxretry Locate of failed attempts before banning

 bantime Duration (in seconds) to ban the IP

 findtime Period (in seconds) to monitor for failed attempts


6. Restart Fail2ban:
 

 sudo systemctl restart fail2ban


7. Check the status:
 

 sudo fail2ban-client status sshd

3. Set Up iptables to Block Brute-Force Attempts

iptables is a powerful Linux firewall that can block unwanted traffic.

Configure iptables to Block Repeated Failed Login Attempts:

1. Allow SSH on the new port:
 

 sudo iptables -A INPUT -p tcp --dport 22000 -m state --state NEW -j ACCEPT


2. Block IP addresses after 3 failed login attempts within 60 seconds:
 

 sudo iptables -A INPUT -p tcp --dport 22000 -m recent --set --name SSH

 sudo iptables -A INPUT -p tcp --dport 22000 -m recent --update

 --seconds 60 --hitcount 3 --rttl --name SSH -j DROP


3. Save iptables rules:
 

 sudo iptables-save > /etc/iptables/rules.v4


4. Make the rules persistent:
 

 sudo apt install iptables-persistent


5. Verify the rules
 

 sudo iptables -L

 


4. Use SSH Key-Based Authentication

Key-based authentication is significantly more secure than password-based authentication.
 

 sudo fail2ban-client status sshd

 

Generate and Deploy SSH Key:

1. Generate an SSH key:
 

 ssh-keygen -t rsa -b 4096

 
Press Enter to save the key in the default location (~/.ssh/id_rsa)
 
2. Copy the public key to the server:
 

 ssh-copy-id -p 22000 user@your_server_ip

 
3. Alternatively, manually copy the public key:
 

 cat ~/.ssh/id_rsa.pub | ssh -p 22000 user@your_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

 

Disable Password Authentication:

1. Open the SSH configuration file:
 

 sudo nano /etc/ssh/sshd_config

 
2. Find and modify these lines:
 

 PasswordAuthentication no

 PubkeyAuthentication yes

 
3. Save and restart the SSH service:
 

 sudo systemctl restart sshd

 

5. Limit SSH Access by IP Address

Restricting SSH access to specific IPs significantly reduces the attack surface.

Configure IP Whitelisting:

1. Open the /etc/hosts.allow file:
 

 sudo nano /etc/hosts.allow


2. Add the allowed IP(s):
 

 sshd: 192.168.1.10
 sshd: 203.0.113.25


3. Deny all other connections:
 

 sudo nano /etc/hosts.deny


4. Add:
 

 sshd: ALL


5. Restart SSH service:
 

 sudo systemctl restart sshd

 

6. Use TCP Wrappers to Restrict Access

TCP wrappers provide another layer of control over SSH access.

Configure TCP Wrappers:

1. Open /etc/hosts.allow :
 

 sudo nano /etc/hosts.allow


2. Add specific IPs:
 

 sshd: 192.168.1.0/24


3. Open /etc/hosts.deny :
 

 sudo nano /etc/hosts.deny


4. Deny all others:
 

 sshd: ALL


5. Restart SSH service:
 

 sudo systemctl restart sshd

 

7. Enable Two-Factor Authentication (2FA)

Adding an extra layer of security with 2FA enhances the protection of your SSH service.

Install Google Authenticator:

1. Install required packages:
 

 sudo apt install libpam-google-authenticator


2. Run the Google Authenticator setup:
 

 google-authenticator

Follow the on-screen instructions and scan the QR code using an authenticator app.

3. Edit the PAM configuration:
 

 sudo nano /etc/pam.d/sshd


4. Add the following line:
 

 auth required pam_google_authenticator.so


5. Enable 2FA in SSH:
 

 sudo nano /etc/ssh/sshd_config


6. Update the following line:
 

 ChallengeResponseAuthentication yes


7. Restart SSH:
 

 sudo systemctl restart sshd

 

8. Enable Two-Factor Authentication (2FA)

Limiting SSH connection rates reduces brute-force attempts.

Configure UFW Rules:

1. Enable UFW if not already enabled:
 

 sudo ufw enable


2. Allow a limited number of connections per IP:
 

 sudo ufw limit 22000/tcp


3. Reload UFW:
 

 sudo ufw reload


4. Verify UFW rules:
 

 sudo ufw status

 

9. Additional Security Best Practices

Disable Root Login:

 sudo nano /etc/ssh/sshd_config

 

 PermitRootLogin no


Restart SSH:
 

 sudo systemctl restart sshd

 

Set Login Grace Time:

 LoginGraceTime 60


Use Strong Passwords: Ensure that password policies require complexity