BestHub
Sign in
Information Security 5 min read

Hardening SSH on Linux: Practical Defenses Against Brute‑Force Attacks

This guide explains why SSH brute‑force attacks threaten Linux servers and provides a step‑by‑step hardening checklist—including changing the default port, disabling root login, using key‑based authentication, deploying automatic block tools, setting IP whitelists, and regularly analyzing logs—to dramatically improve server security.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Hardening SSH on Linux: Practical Defenses Against Brute‑Force Attacks

Why SSH Brute‑Force Attacks Matter

With the widespread adoption of Linux servers, attackers frequently launch brute‑force attempts against the default SSH port (22), trying countless username‑password combinations. A successful compromise gives full control over the server, endangering all data and services.

1. Change the Default SSH Port

Moving SSH away from port 22 reduces exposure to automated scans.

# Edit the SSH daemon configuration
vim /etc/ssh/sshd_config

# Change the Port line, e.g.
Port 2222

After updating the port, open the new port in the firewall and restart the service:

# Restart SSH daemon
systemctl restart sshd

2. Disable Direct Root Login

Preventing root logins forces attackers to obtain a regular account first.

# In /etc/ssh/sshd_config
PermitRootLogin no

Create a non‑privileged user and grant sudo rights as needed:

# Add a new user
adduser username
passwd username

3. Enforce Key‑Based Authentication

Passwords are the weakest link; using SSH keys eliminates password‑based attacks.

# Generate a strong RSA key pair
ssh-keygen -t rsa -b 4096

Copy the public key to the server and disable password authentication:

# Transfer the public key
ssh-copy-id user@server_ip

# Disable password login
PasswordAuthentication no

4. Deploy Automatic Blocking Tools

Tools such as DenyHosts and Fail2Ban monitor SSH logs and ban IPs that repeatedly fail authentication.

# Install DenyHosts on CentOS
yum install -y denyhosts

# Edit /etc/denyhosts.conf (example settings)
SECURE_LOG = /var/log/secure
DENY_THRESHOLD_INVALID = 5
HOSTS_DENY = /etc/hosts.deny

# Enable and start the service
systemctl enable denyhosts
systemctl start denyhosts

5. Set an IP Whitelist

Restrict SSH access to trusted addresses using firewall rules.

# Allow trusted IP
iptables -A INPUT -p tcp -s trusted_ip --dport 22 -j ACCEPT
# Drop all other SSH traffic
iptables -A INPUT -p tcp --dport 22 -j DROP

6. Regular Log Analysis

Periodically scan the authentication log for failed attempts and manually block suspicious IPs if needed.

# Find failed password attempts
grep "Failed password" /var/log/secure

By combining port changes, root login restriction, key authentication, automated block tools, and IP whitelisting, administrators can significantly raise the bar against SSH brute‑force attacks while maintaining operational flexibility.

SSH configuration example
SSH configuration example
LinuxsecuritySSHkey authenticationBrute-force protectionFail2BanDenyHosts
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment