Stop Shell Brute Force Attacks

TL;DR

You can’t completely prevent a brute force attack on a shell, but you can make it incredibly difficult and time-consuming for attackers. This guide shows how to use tools like fail2ban, strong passwords, key-based authentication, account lockouts, and limiting login attempts.

How to Prevent Shell Brute Force Attacks

1. Use Strong Passwords: This is the first line of defence.
• Passwords should be long (12+ characters).
• Mix uppercase and lowercase letters, numbers, and symbols.
• Avoid dictionary words or personal information.
• Use a password manager to generate and store strong passwords.
2. Disable Password Authentication: If possible, switch to key-based authentication (see step 3). This removes the possibility of password guessing.
   • Edit your SSH configuration file:

     sudo nano /etc/ssh/sshd_config

   • Find the line PasswordAuthentication yes and change it to PasswordAuthentication no.
   • Restart the SSH service:

     sudo systemctl restart sshd

3. Implement Key-Based Authentication: This is much more secure than passwords.
   • Generate a key pair on your client machine (e.g., using ssh-keygen).
   • Copy the public key to the server’s ~/.ssh/authorized_keys file for the user you want to log in as. Use ssh-copy-id user@server_ip.
4. Account Lockout Policies: Prevent repeated failed login attempts.
   • Using PAM (Pluggable Authentication Modules), you can configure account lockouts. Edit the file

     sudo nano /etc/pam.d/common-auth

     .

   • Add this line to the end of the file:

     auth required pam_tally2.so deny=3 unlock_time=600

     This will lock an account after 3 failed attempts for 10 minutes (600 seconds).

   • To check locked accounts:

     sudo pam_tally2 --user <username>

   • To unlock an account:

     sudo pam_tally2 --user <username> --reset

5. Use Fail2ban: This tool monitors log files for malicious activity and automatically blocks IPs.
   • Install fail2ban:

     sudo apt update && sudo apt install fail2ban

     (Debian/Ubuntu) or

     sudo yum install fail2ban

     (CentOS/RHEL).

   • Configure Fail2ban for SSH. Edit the file

     sudo nano /etc/fail2ban/jail.local

     . If it doesn’t exist, copy from jail.conf:

     sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

   • Enable the SSH jail by setting enabled = true under the [sshd] section. Adjust other settings as needed (e.g., bantime, findtime, maxretry).
   • Restart Fail2ban:

     sudo systemctl restart fail2ban

   • Check the status of jails:

     sudo fail2ban-client status sshd

6. Limit Login Attempts: Configure SSH to limit the number of login attempts per connection.
   • Edit your SSH configuration file:

     sudo nano /etc/ssh/sshd_config

     .

   • Add or modify these lines:

     MaxAuthTries 3

     ClientAliveInterval 60

     ClientAliveCountMax 3

     This limits attempts to 3, and disconnects after 3 missed ‘alive’ signals (every 60 seconds).

   • Restart the SSH service:

     sudo systemctl restart sshd

     .

7. Change Default SSH Port: Changing from port 22 to a non-standard port can reduce automated attacks.
   • Edit your SSH configuration file:

     sudo nano /etc/ssh/sshd_config

     .

   • Find the line Port 22 and change it to a different port number (e.g., Port 2222). Choose a port above 1024.
   • Restart the SSH service:

     sudo systemctl restart sshd

     .

   • Remember to update your firewall rules to allow traffic on the new port!
8. Firewall Configuration: Only allow SSH access from trusted IPs.
   • Use a firewall (e.g., ufw or iptables) to block all incoming connections except those from your known IP addresses.
   • Example using ufw:

     sudo ufw allow from <your_ip> to any port ssh

     . Then enable the firewall with

     sudo ufw enable

     .

Important Note: No system is 100% secure. These steps significantly increase security, but determined attackers may still find ways to compromise your shell. Regularly review logs and keep your system updated.