5 Best Practices to Prevent SSH Brute-Force Login Attacks in Linux

In today's digital landscape, security is paramount. One of the most common attack vectors against Linux systems is through SSH brute-force login attacks. SSH (Secure Shell) is a network protocol used to access and manage remote systems securely. This article outlines 5 essential best practices to fortify your SSH server against unauthorized access attempts.

Use Strong Passwords

The foundation of SSH security lies in strong password policies. Effective passwords should be at least 12 characters long, incorporating uppercase and lowercase letters, numbers, and special characters. Avoid predictable patterns like "password123" or "admin123" that automated tools can easily crack.

Consider using password managers or passphrases composed of random words. Implement regular password rotation every 90 days and enforce complexity requirements across all user accounts.

Implement Public Key Authentication

Public key authentication provides superior security compared to password-based login. This method uses cryptographic key pairs ? a public key stored on the server and a private key secured on your local machine.

During authentication, the server verifies your identity using the public key. Even if attackers obtain your password, they cannot access the system without your private key.

Setting Up Key-Based Authentication

# Generate key pair on local machine
ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"

# Copy public key to server
ssh-copy-id username@server_ip

# Disable password authentication (in /etc/ssh/sshd_config)
PasswordAuthentication no
PubkeyAuthentication yes

Change the Default SSH Port

SSH servers listen on port 22 by default, making them easy targets for automated scanners. Changing to a non-standard port significantly reduces exposure to opportunistic attacks.

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Change port number
Port 2222

# Restart SSH service
sudo systemctl restart sshd

While not foolproof against determined attackers, port obfuscation eliminates most automated scanning attempts.

Restrict SSH Access with Firewall Rules

Network-level access control limits SSH connections to trusted sources. Configure your firewall to allow SSH access only from specific IP addresses or network ranges.

# Allow SSH from specific IP using iptables
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT

# Block all other SSH attempts
iptables -A INPUT -p tcp --dport 22 -j DROP

# Save rules permanently
iptables-save > /etc/iptables/rules.v4

This approach ensures only authorized networks can attempt SSH connections, dramatically reducing attack surface.

Deploy Fail2ban for Intrusion Prevention

Fail2ban automatically monitors SSH logs and temporarily blocks IP addresses after repeated failed login attempts. This tool effectively mitigates brute-force attacks by implementing dynamic IP blocking.

Installation and Configuration

# Install Fail2ban
sudo apt-get install fail2ban

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Configure SSH protection in jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

This configuration blocks attackers for one hour after three failed attempts within a 10-minute window.

Additional Security Measures

Disable Root Login

Direct root access via SSH poses significant security risks. Create regular user accounts with sudo privileges instead.

# In /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers username1 username2

Enable Two-Factor Authentication

Implement 2FA using tools like Google Authenticator for an additional security layer beyond passwords or keys.

Monitor SSH Logs

Regular log analysis helps identify suspicious activities and potential security breaches. Use tools like journalctl or dedicated log monitoring solutions.

Comparison of Security Methods

Conclusion

Securing SSH requires implementing multiple layers of defense against brute-force attacks. By combining strong authentication methods, access restrictions, and monitoring tools, you create a robust security posture. These practices significantly reduce the risk of unauthorized access and protect your Linux systems from common attack vectors.