Stop SSH Brute‑Force Attacks: 4 Hardening Techniques with Fail2ban and Key Authentication
This guide explains four practical ways to protect a Linux server from SSH brute‑force attacks—using complex passwords, changing the default port, disabling direct root login, and enabling public‑key authentication—plus detailed steps to install and configure Fail2ban for automatic IP blocking.
Introduction
The article presents practical methods to prevent SSH brute‑force attacks on Linux servers, covering password policies, port changes, user management, key‑based login, and the use of Fail2ban with iptables for automated blocking.
Four Hardening Methods
Use a complex password (recommended 16 characters, no sequential patterns) and rotate it regularly, e.g., monthly.
Change the default SSH port (22) to a non‑standard value such as 2222 to reduce automated scans.
Disable direct root login, create a regular user, and grant it sudo privileges.
Adopt public‑key authentication to eliminate password‑based logins.
Changing the SSH Port
# vim /etc/ssh/sshd_config
# edit the Port line, e.g., Port 2222
systemctl restart sshd
# verify with a port scanner
nmap 127.0.0.1Granting Sudo Rights to a Non‑Root User
# useradd -s /bin/bash test
# set password
echo "GUANzhu123//" | passwd --stdin test
# optionally edit /etc/passwd to adjust UID/GID
su - test
# check /etc/shadow entries for the new userPublic‑Key Authentication
# ssh-keygen -t rsa -b 4096
# copy the public key to the server
ssh-copy-id [email protected]
# login without password
ssh 192.168.196.23Fail2ban Installation and Configuration
# yum install epel-release -y
# yum install fail2ban -y
# edit /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH,port=ssh,protocol=tcp]
logpath = /var/log/secure
maxretry = 3
findtime = 300
bantime = 3600
# restart and enable the service
systemctl restart fail2ban.service
systemctl enable fail2ban.serviceTesting and Managing Bans
# ssh 192.168.196.166 # trigger failed attempts
# fail2ban-client status ssh-iptables
# iptables -L -n
# unban an IP if needed
fail2ban-client set ssh-iptables unbanip 192.168.196.23Conclusion
Combining complex passwords, a non‑standard port, restricted root access, and public‑key authentication creates layered defense, while Fail2ban automatically blocks repeated failed login attempts; scripts can further automate temporary IP bans.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.