How to Stop SSH Brute‑Force Attacks on Your Raspberry Pi with Hosts.allow and UFW

Background: the author set up external access to a home Raspberry Pi for remote SSH work.

One morning the SSH login failed intermittently; checking /var/log/auth.log revealed numerous failed login attempts from many IPs and usernames, indicating a brute‑force attack that also caused denial‑of‑service for legitimate connections.

Log excerpts show attempts with various usernames, root, and multiple source IPs, suggesting possible distributed attacks.

Solution 1 – Host‑based access control

Configure /etc/hosts.deny to block all SSH connections by default: sshd:ALL Then whitelist trusted IPs in /etc/hosts.allow: sshd:111.222.333.444 This instantly takes effect, but the daemon still logs rejected connections because the packets still reach the SSH service.

Solution 2 – UFW firewall

Enable UFW and set default policies to allow outgoing traffic and deny incoming traffic (keeping the current SSH session alive):

ufw enable
ufw default allow outgoing
ufw default deny incoming

Add a rule to permit SSH only from the trusted address: ufw allow from 111.222.333.444 to any port 22 This blocks unwanted traffic at the network layer, providing stronger protection than the hosts.allow/deny method.

The author also notes that a separate external server experienced a SYN_RECV flood on port 80, indicating a possible DDoS attack, but no specific mitigation is detailed.