<![CDATA[Dev1 Galaxy Forum / [HowTo] Protect from SHH brute force attacks with fail2ban]]> https://dev1galaxy.org/viewtopic.php?id=7933 Sat, 25 Apr 2026 02:06:37 +0000 FluxBB <![CDATA[[HowTo] Protect from SHH brute force attacks with fail2ban]]> https://dev1galaxy.org/viewtopic.php?pid=63399#p63399 An SSH brute force attack is a hacking technique where attackers use automated tools to systematically try thousands of username and password combinations to gain unauthorized access to a remote server via the Secure Shell (SSH) protocol.

To be fair this is not a definitive protection but another countermeasure to reduce drastically the risks from such attacks when using public IPs.

# As a complementary measure you should NOT allow ssh root login using password but using ssh key in worst case escenario, to do that change the settings for sshd:

sudo nano /etc/ssh/sshd_config

# Uncomment the #PermitRootLogin line like:
PermitRootLogin prohibit-password

# Install packages:

sudo apt install -y fail2ban lnav

# Verify connection attemps

sudo lnav /var/log/auth.log

# You will see very often lines like:
<date> - <time> <hostname> sshd[pid]: Failed password for root from xxx.xxx.xxx.xxx port xxxx ssh2 <--- Brute force attack

# and also when you connect you will see a line like this:
<date> - <time> <hostname> sshd[pid]: Accepted publikey for <youruser> from <your.isp.public.ip> port xxxxx ssh2: EDxxxx SHAxxx <--- This is you, will whitelist this IP.

# Press q to exit

# Create Local Configuration to preserve settings during updates.

sudo nano /etc/fail2ban/jail.local

# Configure SSH Protection, we will use 3 attemps to block earlier than 5 attemps and for 3 hours but later you can increase the bantime if you notice the same IP addresses repeating again and again:
[DEFAULT]
# Whitelist your own IP address (space-separated)
ignoreip = 127.0.0.1/8 ::1 <your.isp.public.ip>

[sshd]
enabled = true
maxretry = 3
bantime = 3h
findtime = 10m   

# Restart fail2ban service

sudo service fail2ban restart

# Verify ssh jail status

sudo fail2ban-client status sshd

 

# You will see something like:

Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	5
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	6
   |- Total banned:	6
   `- Banned IP list:	2.57.122.189 2.57.122.192 45.148.10.147 45.148.10.151 45.148.10.157 92.118.39.236

   
# Now if you verify connection attemps again
sudo lnav /var/log/auth.log

You will notice the attemps wont repeat from the same IP since the moment fail2ban was restarted, keep it running and eventually they will realize is not worthy to keep trying or they will run out of public IPS or you can also increase the time if the same IP address keep showing up.

To add an extra layer of protection you can also enable 2FA with oathtool to make ssh ask for 6 digits code before you can enter any password, that way the attack never even begins since the client gets disconnected and banned when doens't provide a valid 6 digits code to begin with the login attemp, link to guide below.

[HowTo] 2FA TOTPs for SSH without google-authenticator.

]]> Sat, 25 Apr 2026 02:06:37 +0000 https://dev1galaxy.org/viewtopic.php?pid=63399#p63399