TL;DR
Someone trying to guess your SSH keys? This guide shows you how to spot it and lock down your server using fail2ban, key restrictions, and strong passwords. It’s about making it much harder for attackers.
1. Understand the Threat
Brute-forcing SSH keys means an attacker is systematically trying many different private keys against your SSH server to gain access. This is usually done with automated tools. While a single attempt isn’t dangerous, repeated failures are a strong sign of an attack.
2. Check Your Logs
- Where to look: The main log file you need is typically
/var/log/auth.log(Debian/Ubuntu) or/var/log/secure(CentOS/RHEL). - What to search for: Look for failed SSH key authentication attempts. You’ll see entries like this:
Failed publickey for invalid user testuser from 192.168.1.10 port 54321 ssh2 - Frequency is key: A few failed attempts are normal, but a large number of failures from the same IP address within a short period indicates a brute-force attempt.
3. Install and Configure Fail2ban
Fail2ban automatically bans IPs that show malicious signs – like too many failed login attempts. It’s your first line of defence.
ol>
- Debian/Ubuntu:
sudo apt update && sudo apt install fail2ban - CentOS/RHEL:
sudo yum install epel-release && sudo yum install fail2ban
/etc/fail2ban/jail.local (create it if it doesn’t exist). Add or modify the following section:
[sshd]
enabled = true
port = ssh
logpath = %(auth_log)s
banaction = iptables-multiport
maxretry = 5
findtime = 600
bantime = 3600This configuration bans IPs after 5 failed attempts within 10 minutes (600 seconds), for an hour (3600 seconds).
sudo systemctl restart fail2bansudo fail2ban-client status sshd4. Restrict Key Types
Some key types are weaker than others. Disabling them reduces the attack surface.
ol>
/etc/ssh/sshd_config with a text editor (e.g., sudo nano /etc/ssh/sshd_config).PubkeyAcceptedKeyTypes +ssh-rsa,ssh-ed25519
HostKeyAlgorithms +ssh-rsa,ssh-ed25519This allows only RSA and Ed25519 keys. Remove any other key types listed.
sudo systemctl restart sshd5. Disable Password Authentication (If Possible)
Password authentication is much more vulnerable to brute-force attacks than key-based authentication. If you can, disable it.
ol>
/etc/ssh/sshd_config.PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM nosudo systemctl restart sshd6. Strong Passphrases for Keys
If you *must* use keys without strong passphrases, consider the risk carefully. A passphrase adds another layer of security.
ol>
ssh-keygen -t ed25519Follow the prompts to create a key with a strong passphrase.