Blog | G5 Cyber Security

SSH Key Brute Force Protection

G5 Cyber Security

TL;DR

Someone trying to guess your SSH keys? This guide shows you how to spot it and lock down your server using fail2ban, key restrictions, and strong passwords. It’s about making it much harder for attackers.

1. Understand the Threat

Brute-forcing SSH keys means an attacker is systematically trying many different private keys against your SSH server to gain access. This is usually done with automated tools. While a single attempt isn’t dangerous, repeated failures are a strong sign of an attack.

2. Check Your Logs

  1. Where to look: The main log file you need is typically /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (CentOS/RHEL).
  2. What to search for: Look for failed SSH key authentication attempts. You’ll see entries like this: 
    Failed publickey for invalid user testuser from 192.168.1.10 port 54321 ssh2
  3. Frequency is key: A few failed attempts are normal, but a large number of failures from the same IP address within a short period indicates a brute-force attempt.

3. Install and Configure Fail2ban

Fail2ban automatically bans IPs that show malicious signs – like too many failed login attempts. It’s your first line of defence.

ol>

  • Install:
    • Debian/Ubuntu: 
      sudo apt update && sudo apt install fail2ban
    • CentOS/RHEL: 
      sudo yum install epel-release && sudo yum install fail2ban
  • Configure SSH jail: Edit /etc/fail2ban/jail.local (create it if it doesn’t exist). Add or modify the following section: 
    [sshd]
enabled = true
port = ssh
logpath = %(auth_log)s
banaction = iptables-multiport
maxretry = 5
findtime = 600
bantime = 3600

    This configuration bans IPs after 5 failed attempts within 10 minutes (600 seconds), for an hour (3600 seconds).

  • Restart Fail2ban: 
    sudo systemctl restart fail2ban
  • Check status: 
    sudo fail2ban-client status sshd

    • 4. Restrict Key Types

    Some key types are weaker than others. Disabling them reduces the attack surface.

    ol>

  • Edit SSH configuration: Open /etc/ssh/sshd_config with a text editor (e.g., sudo nano /etc/ssh/sshd_config).
  • Add or modify these lines: 
    PubkeyAcceptedKeyTypes +ssh-rsa,ssh-ed25519
HostKeyAlgorithms +ssh-rsa,ssh-ed25519

    This allows only RSA and Ed25519 keys. Remove any other key types listed.

  • Restart SSH: 
    sudo systemctl restart sshd

    • 5. Disable Password Authentication (If Possible)

    Password authentication is much more vulnerable to brute-force attacks than key-based authentication. If you can, disable it.

    ol>

  • Edit SSH configuration: Open /etc/ssh/sshd_config.
  • Set these options: 
    PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
  • Restart SSH: 
    sudo systemctl restart sshd

    • 6. Strong Passphrases for Keys

    If you *must* use keys without strong passphrases, consider the risk carefully. A passphrase adds another layer of security.

    ol>

  • Generate new keys: If possible, generate new SSH keys with a long and complex passphrase. 
    ssh-keygen -t ed25519

    Follow the prompts to create a key with a strong passphrase.

    • Exit mobile version