5 Best Practices to Prevent SSH Brute-Force Login Attacks in Linux

In today's world of technology, security is paramount. It's crucial to protect our systems from unauthorized access, and one of most common ways of gaining unauthorized access to a Linux system is through a brute-force login attack on SSH. SSH (Secure Shell) is a network protocol used to access and manage remote systems securely. In this article, we'll discuss 5 best practices to prevent SSH brute-force login attacks in Linux.

Use Strong Passwords

The first and foremost step in securing your SSH server is to use strong passwords. Strong passwords should be at least 8 characters long, with a mix of upper and lowercase letters, numbers, and special characters. Avoid using easily guessable passwords such as "password123" or "admin123," which can be easily cracked by brute-force attacks.

To create strong passwords, you can use online password generators, password managers, or even a combination of random words. Moreover, it is essential to change your password regularly, at least once every three months.

Use Public Key Authentication

Public key authentication is a more secure method of logging in to an SSH server than using a password. This method involves creating a pair of public and private keys, with public key stored on server, and private key kept securely on your local machine.

When you log in to SSH server, server will check your public key to authenticate your identity. This method is more secure than using a password because even if an attacker manages to get hold of your password, they won't be able to log in without your private key.

To use public key authentication, you can generate a key pair using ssh-keygen command on your local machine. Then, copy public key to server's authorized_keys file. After that, you can log in to server using your private key.

Change Default SSH Port

By default, SSH servers listen on port 22, which is well-known to attackers. Changing default port to a random or non-standard port can make it harder for attackers to find your SSH server and launch a brute-force attack.

To change default SSH port, you need to modify SSH server configuration file, usually located at /etc/ssh/sshd_config. Look for line that specifies port number and change it to a different value. After that, restart SSH service to apply changes.

It's essential to keep in mind that changing default SSH port won't prevent all attacks, but it can make it harder for attackers to find your server.

Limit SSH Access

Limiting SSH access can help prevent unauthorized access to your server. You can restrict access to specific IP addresses or network ranges using a firewall. By doing so, you can allow access only from trusted sources, such as your office network or your home network.

To limit SSH access using a firewall, you need to create a rule that allows incoming traffic to SSH port only from trusted IP addresses or network ranges. For example, if you want to allow access only from IP address, you can create a rule like this −

iptables -A INPUT -p tcp --dport 22 -s -j ACCEPT

This rule allows incoming traffic to SSH port only from IP address You can add more IP addresses or network ranges as per your requirements.

Install and Use Fail2ban

Fail2ban is a software tool that can help protect your SSH server from brute-force login attacks. Fail2ban monitors server logs for failed login attempts and blocks IP address of attacker after a certain number of failed attempts. This makes it harder for attackers to launch a successful brute-force attack.

To install Fail2ban on your Linux server, you can use package manager specific to your distribution. For example, on Debian-based systems, you can use apt-get command −

sudo apt-get install fail2ban

After installation, you need to configure Fail2ban to monitor your SSH logs. By default, Fail2ban comes with a configuration file for SSH, located at /etc/fail2ban/jail.conf. You can modify this file to specify number of failed login attempts after which an IP address should be blocked.

For example, if you want to block an IP address after three failed login attempts, you can add following lines to SSH section of configuration file −

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

After making changes, restart Fail2ban service to apply new configuration.

Disable Root Login

By default, root user has full access to system and is a prime target for attackers. It's best practice to disable direct root login via SSH and use a regular user account with sudo privileges instead. This way, even if an attacker manages to crack password for regular user account, they won't have root access to system.

To disable root login, you need to modify SSH server configuration file (/etc/ssh/sshd_config) and set PermitRootLogin option to "no."

Use Two-Factor Authentication

Two-factor authentication (2FA) adds an additional layer of security to SSH login process. In addition to password or private key, 2FA requires user to provide a second factor, such as a code generated by a smartphone app or a physical token.

To enable 2FA for SSH, you can use a tool like Google Authenticator or Authy, which generates time-based one-time passwords (TOTP). You'll need to install 2FA tool on your local machine and SSH server and configure both to use same TOTP secret.

Monitor SSH Logs

Monitoring your SSH logs can help you detect and prevent brute-force login attacks and other security incidents. You can use tools like Logwatch, Logrotate, or Logwatcher to monitor your SSH logs and alert you when unusual activity is detected.

It's also important to regularly review your SSH logs to identify any suspicious login attempts, unusual IP addresses, or failed login attempts. By doing so, you can quickly take action to prevent a potential security breach.

Keep Your System Up-to-Date

Keeping your Linux system up-to-date with latest security patches and updates is essential to prevent known vulnerabilities and exploits. You should regularly check for updates and apply them as soon as possible.

Additionally, it's essential to regularly check for any unauthorized changes to your SSH server configuration or files, as these could be a sign of a security breach.

Use a Bastion Host or Jump Server

A bastion host or jump server is a dedicated server that acts as a single point of entry to your network or infrastructure. All SSH connections to your network are routed through bastion host, which can be configured to enforce security policies, such as access control and authentication.

Using a bastion host or jump server can help you reduce attack surface of your network and prevent unauthorized access to your systems.


In summary, securing your SSH server is essential to prevent unauthorized access to your Linux system. By following 5 best practices mentioned above, you can significantly reduce risk of a brute-force login attack on your SSH server. Remember to use strong passwords, enable public key authentication, change default SSH port, limit SSH access, and install and use Fail2ban to monitor your SSH logs. By implementing these practices, you can ensure security of your Linux system and protect your data from unauthorized access.

Updated on: 10-Apr-2023


Kickstart Your Career

Get certified by completing the course

Get Started