As the backbone of many enterprise and web infrastructures, Linux servers need robust security measures to defend against a growing array of threats. One of the more common vulnerabilities faced by Linux servers is brute-force attacks on the Secure Shell (SSH) protocol. These attacks involve automated scripts that repeatedly attempt to guess SSH credentials (username and password combinations) until they successfully gain access. This article will outline best practices for securing your Linux server against SSH brute-force attacks.

Understanding SSH Brute-Force Attacks

Before diving into the preventive measures, it’s essential to understand what a brute-force attack entails. Attackers leverage powerful tools and bots to cycle through a list of potential username/password combinations, hoping to find the correct credentials. This can occur in a matter of minutes or hours, depending on the complexity of the password and the attacker’s resources.

1. Change the Default SSH Port

By default, SSH runs on port 22. Changing this port to a non-standard one can help reduce the noise from automated scans and attacks, as many bots automatically target port 22. Here’s how to change the SSH port:

  1. Open the SSH configuration file:

    sudo nano /etc/ssh/sshd_config

  2. Look for the line:

    #Port 22

  3. Uncomment the line and change it to your new port number (e.g., 2222):

    Port 2222

  4. Save and exit the file, then restart the SSH service:

    sudo systemctl restart sshd

2. Use SSH Key Authentication

SSH key authentication is more secure than password authentication. With keys, the attacker needs access to your private key, making brute-force attempts futile. To set up SSH key authentication:

  1. Generate a key pair on your client machine:

    ssh-keygen -t rsa -b 4096

  2. Transfer the public key to your server:

    ssh-copy-id -i ~/.ssh/my_key.pub user@your_server_ip

  3. Disable password authentication by editing the SSH configuration file:

    sudo nano /etc/ssh/sshd_config

    Change the following line:

    PasswordAuthentication no

  4. Save and restart the SSH service.

3. Implement Fail2Ban

Fail2Ban is a powerful tool that helps protect against brute-force attacks by monitoring SSH logs and banning IP addresses that exhibit suspicious behavior.

  1. Install Fail2Ban:

    sudo apt-get install fail2ban

  2. Configure Fail2Ban:

    Create a new configuration file or edit the existing one:

    sudo nano /etc/fail2ban/jail.local

    Add the following configuration:

    [sshd]
    
enabled = true
    
port = ssh
    
filter = sshd
    
logpath = /var/log/auth.log
    
maxretry = 5
    
bantime = 86400

    This setting will ban an IP for 24 hours after five failed login attempts.

  3. Restart Fail2Ban:

    sudo systemctl restart fail2ban

4. Configure SSH to Limit User Access

Limiting access to specific users can reduce the number of vectors an attacker has for brute-force attempts.

  1. Open the SSH configuration file:

    sudo nano /etc/ssh/sshd_config

  2. Add or modify the following line with your permitted users:

    AllowUsers user1 user2

This will permit only user1 and user2 to access the server using SSH, denying all others.

5. Use Two-Factor Authentication (2FA)

Implementing two-factor authentication for SSH adds another layer of security. Tools like Google Authenticator or Duo can be used for this purpose.

  1. Install the necessary packages:

    sudo apt-get install libpam-google-authenticator

  2. Configure Google Authenticator for a user:

    google-authenticator

  3. Edit the SSH configuration to use PAM:

    sudo nano /etc/ssh/sshd_config

    Ensure the following line is present:

    ChallengeResponseAuthentication yes

  4. Add the following line to /etc/pam.d/sshd:

    auth required pam_google_authenticator.so

  5. Restart SSH:

    sudo systemctl restart sshd

6. Keep Your System Updated

Regularly updating your Linux server ensures that you have all the latest security patches and updates. Use the following commands to keep your system up to date:

sudo apt-get update

sudo apt-get upgrade

7. Monitor Your Logs

Regularly monitor system and authentication logs for any suspicious activity. Consider using tools like logwatch for detailed summaries of server activity.

sudo apt-get install logwatch

Conclusion

Securing your Linux server against SSH brute-force attacks is crucial to maintaining a robust security posture. By implementing the best practices outlined in this article—changing the default SSH port, using SSH key authentication, deploying Fail2Ban, limiting user access, introducing two-factor authentication, keeping your system current, and monitoring logs—you can significantly reduce the likelihood of successful unauthorized access attempts.

Remember, security is not a one-time task but an ongoing process that requires vigilance and continuous improvement. Stay proactive, stay secure!