How to Block Brute-Force Attacks on SSH: Step by Step guide

Written by blog | Jan 23, 2025 2:00:00 PM

Brute-force attacks on SSH (Secure Shell) are a common method used by attackers to gain unauthorized access to servers. These attacks involve systematically trying a large number of username and password combinations until the correct credentials are found. Fortunately, several effective techniques and tools can prevent brute-force attacks and secure your server.

In this guide, we’ll cover step-by-step methods to block brute-force SSH attacks, including configuring fail2ban, using iptables, changing the default SSH port, enabling key-based authentication, and implementing advanced security measures.

1. Change the Default SSH Port

By default, SSH listens on port 22, which makes it an easy target. Changing the port to a non-standard port reduces the likelihood of brute-force attempts.

Steps to Change SSH Port:

1. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Locate the line

#Port 22

3. Uncomment and change the port number to a high, unused port, e.g., 22000:

Port 22000

4. Save and exit the file.

5. Restart the SSH service to apply changes:

sudo systemctl restart sshd

6. Update firewall rules to allow traffic on the new port:

sudo ufw allow 22000/tcp

2. Use Fail2ban to Prevent Brute-Force Attacks

Fail2ban is an intrusion prevention tool that monitors system logs and bans IP addresses exhibiting malicious behavior.

Install and Configure Fail2ban:

1. Install Fail2ban:

sudo apt update

sudo apt install fail2ban -y

2. Copy the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3. Open the jail.local file to configure SSH rules:

sudo nano /etc/fail2ban/jail.local

4. Locate the [sshd] section and modify as follows:

[sshd]
enabled = true
port = 22000
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600
findtime = 300

maxretry Locate of failed attempts before banning

bantime Duration (in seconds) to ban the IP

findtime Period (in seconds) to monitor for failed attempts

6. Restart Fail2ban:

sudo systemctl restart fail2ban

7. Check the status:

sudo fail2ban-client status sshd

3. Set Up iptables to Block Brute-Force Attempts

iptables is a powerful Linux firewall that can block unwanted traffic.

Configure iptables to Block Repeated Failed Login Attempts:

1. Allow SSH on the new port:

sudo iptables -A INPUT -p tcp --dport 22000 -m state --state NEW -j ACCEPT

2. Block IP addresses after 3 failed login attempts within 60 seconds:

sudo iptables -A INPUT -p tcp --dport 22000 -m recent --set --name SSH

sudo iptables -A INPUT -p tcp --dport 22000 -m recent --update

--seconds 60 --hitcount 3 --rttl --name SSH -j DROP

3. Save iptables rules:

sudo iptables-save > /etc/iptables/rules.v4

4. Make the rules persistent:

sudo apt install iptables-persistent

5. Verify the rules

sudo iptables -L

4. Use SSH Key-Based Authentication

Key-based authentication is significantly more secure than password-based authentication.

sudo fail2ban-client status sshd

Generate and Deploy SSH Key:

1. Generate an SSH key:

ssh-keygen -t rsa -b 4096

Press Enter to save the key in the default location (~/.ssh/id_rsa)

2. Copy the public key to the server:

ssh-copy-id -p 22000 user@your_server_ip

3. Alternatively, manually copy the public key:

cat ~/.ssh/id_rsa.pub | ssh -p 22000 user@your_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Disable Password Authentication:

1. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Find and modify these lines:

PasswordAuthentication no

PubkeyAuthentication yes

3. Save and restart the SSH service:

sudo systemctl restart sshd

5. Limit SSH Access by IP Address

Restricting SSH access to specific IPs significantly reduces the attack surface.

Configure IP Whitelisting:

1. Open the /etc/hosts.allow file:

sudo nano /etc/hosts.allow

2. Add the allowed IP(s):

sshd: 192.168.1.10
sshd: 203.0.113.25

3. Deny all other connections:

sudo nano /etc/hosts.deny

4. Add:

sshd: ALL

5. Restart SSH service:

sudo systemctl restart sshd

6. Use TCP Wrappers to Restrict Access

TCP wrappers provide another layer of control over SSH access.

Configure TCP Wrappers:

1. Open /etc/hosts.allow :

sudo nano /etc/hosts.allow

2. Add specific IPs:

sshd: 192.168.1.0/24

3. Open /etc/hosts.deny :

sudo nano /etc/hosts.deny

4. Deny all others:

sshd: ALL

5. Restart SSH service:

sudo systemctl restart sshd

7. Enable Two-Factor Authentication (2FA)

Adding an extra layer of security with 2FA enhances the protection of your SSH service.

Install Google Authenticator:

1. Install required packages:

sudo apt install libpam-google-authenticator

2. Run the Google Authenticator setup:

google-authenticator

Follow the on-screen instructions and scan the QR code using an authenticator app.

3. Edit the PAM configuration:

sudo nano /etc/pam.d/sshd

4. Add the following line:

auth required pam_google_authenticator.so

5. Enable 2FA in SSH:

sudo nano /etc/ssh/sshd_config

6. Update the following line:

ChallengeResponseAuthentication yes

7. Restart SSH:

sudo systemctl restart sshd

8. Enable Two-Factor Authentication (2FA)

Limiting SSH connection rates reduces brute-force attempts.

Configure UFW Rules:

1. Enable UFW if not already enabled:

sudo ufw enable

2. Allow a limited number of connections per IP:

sudo ufw limit 22000/tcp

3. Reload UFW:

sudo ufw reload

4. Verify UFW rules:

sudo ufw status

9. Additional Security Best Practices

Disable Root Login:

sudo nano /etc/ssh/sshd_config

PermitRootLogin no

Restart SSH:

sudo systemctl restart sshd

Set Login Grace Time:

LoginGraceTime 60

Use Strong Passwords: Ensure that password policies require complexity

View full post