4 Proven Ways to Stop SSH Brute‑Force Attacks (with Fail2ban Guide)

Prevent SSH Brute‑Force Attacks: Four Methods

1. Method Overview

The four recommended ways to stop SSH brute‑force attacks are:

Use a complex password (e.g., 16 characters without sequential numbers or letters) and rotate it regularly, preferably monthly.

Change the default SSH port (22) to a non‑standard three‑ or four‑digit port to add obscurity.

Disable direct root login; create a regular user with sudo privileges to reduce the chance of a successful crack.

Adopt key‑based authentication, generating a public/private key pair and using the public key on the server.

Because the first method relies on password strength, the following sections demonstrate the remaining three methods.

2. Example Configurations

2.1 Change SSH Port

# Edit SSH configuration
vim /etc/ssh/sshd_config
# Change the Port line (default 22) to a custom value, e.g., 2222
systemctl restart sshd

After modifying the port, restart the SSH service and verify with a port‑scanning tool such as nmap:

[root@localhost ~]# nmap 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2023-03-05 11:44 CST
PORT     STATE SERVICE
21/tcp   open  ftp
2222/tcp open  EtherNet/IP-1
3306/tcp open  mysql
9050/tcp open  tor-socks

2.2 Grant Super‑User Privileges to a Regular Account

# Add a new user and give it sudo rights
useradd -s /bin/bash test
vim /etc/passwd   # modify UID/GID if needed
echo "GUANzhu123//" | passwd --stdin test

Test the new account's privileges by switching to it and checking the /etc/shadow file:

[root@localhost ~]# su - test
$ pwd
/home/test
$ tail -2 /etc/shadow
mysql:!!:19420::::::
test:!!:19421:0:99999:7:::

Tip: Remember to set a password for the new privileged user; otherwise you may be locked out.

2.3 Use Key‑Based Authentication

# Generate RSA key pair (4096‑bit)
ssh-keygen -t rsa -b 4096
# Accept defaults; no passphrase needed for automated login
# Copy the public key to the remote server
ssh-copy-id [email protected]
# Test password‑less login
ssh 192.168.196.23

After copying the key, you can log in without entering a password.

3. Fail2ban Protection

3.1 Install Fail2ban

yum install epel-release -y
yum install fail2ban -y

3.2 Configure the SSH Jail

/etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600

systemctl restart fail2ban.service
systemctl enable fail2ban.service

3.3 Test and Manage Banned IPs

Check the current status of the jail:

fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
- Filter
  Currently failed: 0
  Total failed: 6
- Actions
  Currently banned: 1
  Total banned: 2
  Banned IP list: 192.168.196.23

If a legitimate user is mistakenly banned, unban the IP with:

fail2ban-client set ssh-iptables unbanip 192.168.196.23

Conclusion

The above four methods—strong passwords, port modification, non‑root privileged users, and key‑based authentication—combined with Fail2ban provide a robust defense against SSH brute‑force attacks. You can also script temporary IP blocks for repeated attacks. If you found this guide helpful, feel free to give it a like!