How to Harden SSHD Against Brute‑Force Attacks with Fail2Ban

Background : A public website’s SSH service was repeatedly targeted by brute‑force attempts, causing high CPU load and slowing down the site.

Brute‑Force Attack Process

The typical steps are:

Scan for open port 22.

Identify the Linux server.

Attempt login with common usernames (e.g., root) and guessed passwords.

Basic Preventive Measures

Three simple defenses are recommended:

Use strong passwords : length >8 characters (ideally >14) with a mix of numbers, upper‑ and lower‑case letters, and symbols.

Change the default SSH port (22) to an uncommon one, e.g., 81.

Do not log in as root ; create a regular account and use sudo when needed.

Example commands:

# Install nmap
rpm -ivh /mnt/Packages/nmap-5.21-4.el6.x86_64.rpm
# Scan the server
nmap 192.168.1.63
# Edit SSH config to change port
vim /etc/ssh/sshd_config   # change "Port 22" to "Port 81"
# Restart SSH service
/etc/init.d/sshd restart
# Test new port
ssh [email protected] -p 81

Creating a Non‑Root Account with UID 0 (Demonstration)

To illustrate why root login should be disabled, the tutorial shows how to create a user mk, set a password, and edit /etc/passwd so that the account has UID 0, effectively granting root privileges without using the root name.

# Add user
useradd mk
# Set password
echo 123456 | passwd --stdin mk
# Edit /etc/passwd
# Change root entry to /sbin/nologin to prevent root login
# Change mk entry to uid 0
vim /etc/passwd

Introducing Fail2Ban

Fail2Ban monitors log files (e.g., /var/log/secure) and bans IP addresses that exceed a configurable number of failed login attempts by adding iptables rules. It can also send email alerts.

Installation

# Download and extract
tar -zxvf fail2ban-0.8.14.tar.gz
cd fail2ban-0.8.14
# Verify Python version (needs >2.4)
python -V   # e.g., Python 2.6.6
# Install the package
python setup.py install
# Copy init script and enable service
cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig --list fail2ban

Configuration

Edit /etc/fail2ban/jail.conf (or a local jail file) to enable the SSH jail:

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
findtime = 300   # 5 minutes
maxretry = 3      # three failures trigger a ban
bantime  = 3600   # ban for 1 hour
sendmail-whois = sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]

Starting and Testing

# Start the service
service fail2ban start
# Verify status
fail2ban-client status ssh-iptables
# Attempt three wrong passwords, then a correct one to see the ban in action

Final Checklist

Enforce strong passwords.

Change the default SSH port.

Disable direct root login.

Deploy Fail2Ban to automatically block repeated failed attempts.

Applying these measures typically resolves most brute‑force SSH attacks.