Securing Linux Hosts Against Brute Force SSH Attacks

By /

2025-02-04

Brute force attacks targeting SSH services on Linux hosts are a common threat in the cybersecurity landscape. Attackers often use automated tools to guess credentials, which can lead to unauthorized access if not mitigated. This article provides practical steps to block malicious IPs and secure your Linux system using `iptables` and fail2ban.

Blocking Malicious IPs Using iptables

To block IP ranges known for SSH brute force attempts, use the following `iptables` commands:

sudo iptables -A INPUT -s 218.92.0.0/16 -j DROP 
sudo iptables -A INPUT -s 180.101.0.0/16 -j DROP 
sudo iptables -A INPUT -s 202.4.0.0/16 -j DROP 
sudo iptables -A INPUT -s 92.255.0.0/16 -j DROP

These commands will drop all incoming traffic from the specified IP ranges, effectively blocking potential attackers.

**Installing and Configuring fail2ban**

`fail2ban` is a powerful tool that monitors log files for repeated failed login attempts and automatically bans the offending IPs. Install it using:

sudo apt install fail2ban -y

After installation, configure `fail2ban` by editing the jail configuration file:

sudo nano /etc/fail2ban/jail.local

Add the following configuration to protect SSH:

[sshd] 
enabled = true 
maxretry = 3 
bantime = 3600 
findtime = 600

This configuration bans an IP after 3 failed login attempts within 10 minutes, with a ban duration of 1 hour.

**What Undercode Say**

Securing Linux hosts against brute force SSH attacks is critical for maintaining system integrity. By combining `iptables` and fail2ban, you can significantly reduce the risk of unauthorized access. Here are additional Linux commands and tips to enhance your cybersecurity posture:

  1. Monitor SSH Logs: Use `grep` to filter SSH login attempts:
    sudo grep "Failed password" /var/log/auth.log

  2. Change SSH Port: Edit `/etc/ssh/sshd_config` to change the default SSH port (22) to a non-standard port:

    Port 2222

Restart the SSH service:

sudo systemctl restart sshd
  1. Use Key-Based Authentication: Disable password authentication and use SSH keys for secure access:
    sudo nano /etc/ssh/sshd_config

Set the following:

PasswordAuthentication no
  1. Enable UFW (Uncomplicated Firewall): Simplify firewall management with UFW:
    sudo apt install ufw -y 
sudo ufw allow 2222/tcp 
sudo ufw enable

  2. Regular Updates: Keep your system updated to patch vulnerabilities:

    sudo apt update && sudo apt upgrade -y

  3. Audit Open Ports: Use `netstat` or `ss` to check for open ports:

    sudo netstat -tuln

  4. Harden SSH Configuration: Limit SSH access to specific users:

    sudo nano /etc/ssh/sshd_config

Add:

AllowUsers yourusername
  1. Monitor Network Traffic: Use `tcpdump` to capture and analyze network traffic:
    sudo tcpdump -i eth0

  2. Backup Configuration Files: Always backup critical files before making changes:

    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

  3. Enable Logging: Ensure logging is enabled in /etc/ssh/sshd_config:

    LogLevel VERBOSE

By implementing these measures, you can create a robust defense against brute force attacks and other cybersecurity threats. For further reading, refer to the official documentation of iptables and fail2ban.

Stay vigilant and proactive in securing your systems. Cybersecurity is an ongoing process, and regular audits and updates are essential to stay ahead of potential threats.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts:

Scroll to Top