Search Our Database

How to track and block Brute-Force Login Attempts on SSH

Last updated on |
under
Educational, Miscellaneous, Linux
|
by

Introduction

SSH brute-force attacks are one of the most common security threats faced by Linux servers exposed to the internet. These attacks involve automated scripts attempting to gain unauthorized access by trying thousands of username and password combinations. If left unchecked, brute-force attacks can lead to compromised systems, service slowdowns, or even server crashes due to excessive login attempts.

Monitoring and mitigating SSH brute-force attempts is critical for maintaining server security. Common tools such as fail2ban, iptables, and journalctl offer effective ways to detect suspicious login patterns and take automated action against offending IPs. Additionally, configuring SSH securely (e.g., using key-based authentication and changing the default port) can significantly reduce exposure.

 

Prerequisites

  • A Linux-based server (e.g., CentOS, Ubuntu, Debian)
  • Root or sudo access
  • SSH enabled and accessible
  • fail2ban installed (optional but recommended)

 

Step-by-step Guide

Step 1: Check for Brute-Force Attempts in SSH Logs

For systems using journalctl:

journalctl -u sshd | grep "Failed password"

 

For systems using /var/log/auth.log (Ubuntu/Debian):

grep "Failed password" /var/log/auth.log

For systems using /var/log/auth.log (CentOS/RHEL):

grep "Failed password" /var/log/secure

To summarize attempts by IP:

grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head

This will show the top IPs attempting failed logins.

 

Step 2: Block Suspicious IPs Manually Using iptables

If an IP is confirmed to be malicious, block it using iptables:

iptables -A INPUT -s <offending_ip> -j DROP

Example:

iptables -A INPUT -s 192.168.100.50 -j DROP

To make this rule persistent across reboots, install iptables-persistent or save the current rules:

iptables-save > /etc/iptables/rules.v4

 

 

Step 3: Automatically Block SSH Brute-Force Attempts with Fail2Ban

If Fail2Ban is not installed:

For Debian/Ubuntu:

sudo apt install fail2ban

For CentOS/RHEL:

sudo yum install epel-release 
sudo yum install fail2ban

Once installed, enable and start the service:

sudo systemctl enable fail2ban 
sudo systemctl start fail2ban

 

 

Step 4: Configure the SSH Jail in Fail2Ban

Edit the jail configuration:

nano /etc/fail2ban/jail.local

 

Add or modify the SSH jail section:

[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600

  • maxretry : Number of allowed failures before banning

  • bantime : Duration of ban (in seconds)

  • findtime : Time window in which failures are counted

Save the file and restart Fail2Ban:

sudo systemctl restart fail2ban

Check the jail status:

fail2ban-client status sshd

 

 

Step 5: Harden SSH Configuration (Optional but Recommended)

Modify your SSH settings to reduce exposure:

  1. Edit SSH config:

    nano /etc/ssh/sshd_config

  2. Recommended changes:

    PermitRootLogin no 
PasswordAuthentication no 
Port 22

    • Disable root login

    • Disable password auth (use SSH keys)

    • Change default port from 22

  3. Restart SSH:

    systemctl restart sshd

     

 

Conclusion

Monitoring and blocking brute-force SSH login attempts is essential for maintaining server security. This guide covered how to identify malicious attempts using log files, manually block IPs using iptables, and implement automated banning with Fail2Ban. Additional SSH hardening further reduces risk by limiting access vectors.

Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.

Related Article

Related Posts