Effective Strategies for Blocking Repeated SSH Login Attempts on Linux Servers

As cyber threats become increasingly sophisticated, ensuring the security of your Linux servers is paramount. One of the most common vulnerabilities is exposing your system to brute-force attacks via SSH (Secure Shell). These attacks involve automated scripts attempting to guess passwords, leading to unauthorized access. In this article, we’ll explore effective strategies for blocking repeated SSH login attempts on Linux servers to safeguard your systems.

1. Use Strong Password Policies

Enforce Complexity

First and foremost, a robust password policy is essential. Ensure that users create complex passwords that include a mix of upper and lower case letters, numbers, and special characters. Enforcing a minimum password length of 12 characters can significantly enhance security.

Implement Account Lockout Policies

Consider implementing account lockout policies that temporarily disable an account after a specified number of failed login attempts. This discourages repeated guessing efforts.

2. Change the Default SSH Port

Customize SSH Port

Changing the default SSH port from 22 to another, less common port can obscure your server and deter basic automated attacks. You can do this by modifying the /etc/ssh/sshd_config file:
bash

sudo nano /etc/ssh/sshd_config

Port 2222

Don’t forget to restart the SSH service after making changes:
bash
sudo systemctl restart sshd

3. Implement Fail2Ban

Install and Configure

Fail2Ban is a powerful tool that can help protect your server from brute-force attacks. It works by monitoring log files and banning IPs that show malicious signs. To install and configure it:
bash

sudo apt-get install fail2ban

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Customize Filters

In your jail.local file, enable the SSH jail and set up parameters:
ini
[sshd]
enabled = true
port = 2222 # Change to custom port if necessary
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600

Start and Enable Fail2Ban

bash
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

4. Utilize SSH Key Authentication

Generate SSH Keys

Instead of relying on passwords, using SSH key pairs can offer superior security. Generate an SSH key pair with:
bash
ssh-keygen -t rsa -b 4096

Place your public key in the ~/.ssh/authorized_keys file on your server.

Disable Password Authentication

To further secure your server, disable password authentication altogether in the sshd_config file:
bash
PasswordAuthentication no

5. Configure TCP Wrappers

Use /etc/hosts.allow and /etc/hosts.deny

TCP Wrappers provide a way to control access to services on your Linux server. In /etc/hosts.deny, you can block all access:

sshd: ALL

Then, in /etc/hosts.allow, specify allowed IP addresses:

sshd: 192.168.1.100

This configuration allows only the specified IP to access SSH.

6. Monitor Logs Regularly

Use Log Analysis Tools

Regularly monitoring your server logs is critical for spotting unusual activity. Tools like Logwatch or GoAccess can help visualize login attempts and spot patterns. Set them up to receive periodic reports on SSH access.

Employ Intrusion Detection Systems

Consider using tools like OSSEC or AIDE to detect unusual logins and modify alert statuses. An intrusion detection system can provide an additional layer of security by alerting you to unauthorized access.

7. Configure a Firewall

Use UFW or Firewalld

Setting up a firewall can effectively limit access to your SSH service. Consider using UFW (Uncomplicated Firewall) or firewalld to create rules that only allow specific IP ranges. Here’s how to configure UFW:
bash

sudo ufw allow 2222/tcp

sudo ufw enable

Conclusion

Securing your Linux server against repeated SSH login attempts is an ongoing process that involves implementing multiple strategies. From using strong passwords and changing default ports to employing tools like Fail2Ban, SSH key authentication, TCP Wrappers, log monitoring, and firewalls, each step plays a vital role in fortifying your server.

By adopting these strategies, you can significantly reduce the risk of unauthorized access and keep your data safe. Remember, the best defense is a proactive approach, so invest time in securing your systems today. For more tips and updates on Linux security, stay tuned to the WafaTech Blog!