BestHub
Sign in
Information Security 10 min read

Four Effective Ways to Stop SSH Brute‑Force Attacks

This guide explains four practical methods—using strong passwords, changing the default SSH port, disabling direct root login while granting sudo rights to a regular user, and enabling key‑based authentication—plus how to install and configure Fail2ban to automatically block repeated login failures on Linux servers.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Four Effective Ways to Stop SSH Brute‑Force Attacks

Overview

SSH brute‑force attacks are common on Linux servers. This guide presents four practical methods to mitigate them: using strong passwords, changing the default SSH port, disabling direct root login and granting sudo rights to a regular user, and configuring key‑based authentication. It also shows how to deploy Fail2ban for automated blocking.

1. Strong Passwords

Use a complex password of at least 16 characters without sequential numbers or letters, and rotate it regularly (e.g., monthly).

2. Change SSH Port

Edit /etc/ssh/sshd_config (line 17) to set a non‑standard port such as 2222, then restart the service.

vim /etc/ssh/sshd_config
# modify Port 2222
systemctl restart sshd

Verify the new port with a scanner (e.g., nmap 127.0.0.1).

SSH configuration screenshot
SSH configuration screenshot

3. Disable Direct Root Login and Create a Sudo User

Convert the root account to a system account and create a regular user with sudo privileges.

useradd -s /bin/bash test
passwd --stdin test   # set password
vim /etc/passwd        # ensure UID/GID are appropriate

Test the new account with su - test and check /etc/shadow entries.

User creation screenshot
User creation screenshot

4. Key‑Based Authentication

Generate an RSA key pair on the client:

ssh-keygen -t rsa -b 4096
# accept defaults, no passphrase

Copy the public key to the server: ssh-copy-id root@<em>SERVER_IP</em> After the key is installed, log in without a password using ssh <em>SERVER_IP</em>.

Key generation output
Key generation output

5. Install and Configure Fail2ban

Install Fail2ban from EPEL and enable it:

yum install epel-release -y
yum install fail2ban -y
systemctl enable fail2ban.service
systemctl start fail2ban.service

Edit /etc/fail2ban/jail.conf (or create jail.local) to protect SSH:

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600

Restart Fail2ban and verify status:

systemctl restart fail2ban.service
fail2ban-client status ssh-iptables

Use fail2ban-client set ssh-iptables unbanip <em>IP</em> to remove an IP from the blacklist.

Fail2ban configuration screenshot
Fail2ban configuration screenshot

Conclusion

Combining strong passwords, a non‑standard port, restricted root access, key authentication, and Fail2ban provides layered protection against SSH brute‑force attacks.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

SecuritySSHbrute forcekey authentication
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment