Brute Force Protection on SSH
How to Prevent Brute Force attack on SSH on Ubuntu and seven protective measures to prevent the attack and safeguard your server.

The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP), so Brute Force Prevention on SSH is essential to prohibit the server from being hacked.

According to the SANS Institute Security Risks Report for 2007, brute-force/dictionary attacks against remote services such as SSH, are one of the Top-20 most common forms of attack on the Internet that compromise servers. In particular, Unix-based and Mac OS X servers that run an SSH service to allow administrators secure remote connections are at risk. The ISO has seen an increased number of systems compromised via brute-Force/dictionary attack. The attacks are continuous and facilitated through the process of improving dictionaries when lax countermeasures are in place. An excessive number of failed log-ins is a sign of brute-force/dictionary attack against your SSH server.

To protect your SSH server from a brute-force/dictionary attack, please follow these seven protective measures:

Disable Root Access

It is a good security practice to disable logins via SSH for the root account. Log in from your non-privileged user account and escalate privilege when and if necessary. SUDO and SU are examples of tools/commands that allow privilege escalation. These provide the added benefit of accountability (i.e. logging) in environments where root access must be shared.

Disable unused services

Disable SSH if it is not in use.

sudo service sshd stop
sudo service sshd disable

Run the SSH server on a non-standard, high port

This will mitigate automated attacks scanning for SSH servers on the default port.

To change the default port used by SSH open the following file

sudo vi /etc/ssh/sshd_config

and change the port to any port number of your choice (For example 7777)

Filter traffic to your SSH server 

Whenever possible, filter traffic to your SSH server (with a network or host based firewall) restricting access to only known IP addresses. Restricting access to the campus VPN subnet or a range of IP addresses is a good start for filtering traffic.

Block all the incoming traffic on ssh configured port

sudo ufw enable
sudo iptables -I INPUT -p tcp --dport 7927 -j DROP

Now unblock your internal IP range which can have access to the SSH port

sudo iptables -I INPUT -p tcp --dport 7777 -m iprange --src-range -j ACCEPT

Install and maintain anti-brute-force tools

There are a number of filters and tools that administrators can use to block and protect against brute-force/dictionary attacks. A few are:

Pam_abl – Provides a blacklisting of hosts and users responsible for repeated failed authentication attempts. Pam_abl download

SSHBan – Receives data directly from the loggers instead of scanning system logs. SSHBan download

Fail2ban works IP-based and will block the IPs from which too many failed login attempts are made, however other IPs / users on the same network will not be slowed down.

The procedure to setup Fail2Ban on SSH and cloud server like Nextcloud, follow the procedure described in the article below

Fail2ban brute force proetction utility logo

Enforce strong passwords

Using a strong password will enhance your defense against SSH brute-force/dictionary password attacks. Please refer to Computing Services Password Requirements and Guidelines for Password Management for more information on how to select and manage a strong password.

Limit connection rates

For example, limit the number of SYN packets – This practice will not affect the legitimate user, but will limit incoming attacks from rapid, repeated connection attempts.

Similar Posts

  • All
  • apache2
  • mariadb
  • nextcloud
  • php
  • raspberrypi
  • ubuntu
  • lamp
  • wordpress
  • ftp
  • sftp
  • ssh

Mobeen Syed on January 22, 2021

How to Prevent Brute Force attack on SSH on Ubuntu and seven protective measures to prevent the attack and safeguard your server.
Wordpress Logo

Mobeen Syed on October 3, 2022

How to install and configure WordPress on Ubuntu 22.04 LTS (your own private server) using Apache2, MariaDB (MySQL) and PHP8.1 setup.

Mobeen Syed on October 3, 2022

Installation and Setup of Fail2ban Brute force protection on Nextcloud, SSH, FTP etc on Ubuntu or other debian based distributions.

Leave a Reply

Your email address will not be published. Required fields are marked *