BestHub
Sign in
Information Security 10 min read

How to Harden SSH Against Brute‑Force Attacks: Password Policies, Port Hiding, Non‑Root Users, and Fail2Ban

This guide explains four practical ways to protect a Linux server from SSH brute‑force attacks—using strong passwords, changing the default port, disabling direct root login in favor of privileged users, and configuring key‑based authentication—plus detailed steps to install and tune Fail2Ban with iptables for automatic IP blocking.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How to Harden SSH Against Brute‑Force Attacks: Password Policies, Port Hiding, Non‑Root Users, and Fail2Ban

Methods Overview

Enforce complex, regularly‑changed passwords.

Change the default SSH port (22) to a non‑standard value.

Disable direct root login and grant sudo privileges to a regular user.

Use public‑key authentication to eliminate password prompts.

Changing the SSH Port

Edit /etc/ssh/sshd_config and modify the Port line (e.g., Port 2222), then restart the service:

vim /etc/ssh/sshd_config
systemctl restart sshd

Verify the new port with a scanner such as nmap:

# nmap 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org )
... 
2222/tcp open  EtherNet/IP-1

Creating a Privileged Non‑Root User

First, add a new user and set a password:

# useradd -s /bin/bash test
# echo "StrongPass123" | passwd --stdin test

Then edit /etc/passwd to change the UID/GID if needed, and confirm the user can sudo:

# su - test
# pwd
/home/test

Tip: Ensure the new user has a login password; otherwise you may be locked out.

Setting Up Public‑Key Authentication

Generate a key pair on the client:

# ssh-keygen -t rsa -b 4096
# (accept defaults, no passphrase)

Copy the public key to the server: # ssh-copy-id [email protected] After the key is installed, you can log in without a password:

# ssh 192.168.196.23
Last login: ...
[root@node1 ~]#

Installing and Configuring Fail2Ban

Install the EPEL repository and Fail2Ban:

yum install epel-release -y
yum install fail2ban -y

Edit /etc/fail2ban/jail.conf (or a local override) to enable the SSH jail:

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600

Enable and start the service:

systemctl enable fail2ban.service
systemctl restart fail2ban.service

Testing and Managing Bans

Attempt several failed logins to trigger the ban, then check the status:

# fail2ban-client status ssh-iptables
# fail2ban-client status

To unban an IP:

# fail2ban-client set ssh-iptables unbanip 192.168.196.23

Conclusion

Combining strong passwords, a non‑standard SSH port, privileged non‑root accounts, key‑based authentication, and Fail2Ban provides layered defense against brute‑force attacks, and the configurations can be scripted for automated deployment.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Sysadminiptableskey-authenticationlinux-security
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment