Blog | G5 Cyber Security

Stop SSH Brute Force Attacks

G5 Cyber Security

TL;DR

Someone is trying to guess passwords for your AWS t2.micro instance via SSH. We’ll harden security by disabling password logins, using key-based authentication, and limiting login attempts with fail2ban.

Steps

  1. Connect to Your Instance

    2. Use SSH to connect to your AWS t2.micro instance as the user you normally use (e.g., ec2-user, ubuntu). You’ll need your private key file (.pem) and the public IP address of the instance.

    ssh -i /path/to/your/key.pem ec2-user@your_public_ip
  2. Update Your System

    3. Ensure your system is up to date before making changes:

    sudo apt update && sudo apt upgrade -y

    (If using a different Linux distribution, use the appropriate package manager commands – e.g., yum update for CentOS/RHEL).

  3. Disable Password Authentication

    4. Edit the SSH daemon configuration file:

    sudo nano /etc/ssh/sshd_config

    Find the line PasswordAuthentication yes and change it to PasswordAuthentication no. Also, ensure that ChallengeResponseAuthentication no is set.

    Save the file (Ctrl+X, Y, Enter).

  4. Restart SSH Service

    5. Restart the SSH service for the changes to take effect:

    sudo systemctl restart sshd
  5. Test Key-Based Authentication

    6. Open a new terminal window. Try connecting using your private key. This confirms password authentication is disabled and key-based login works.

    ssh -i /path/to/your/key.pem ec2-user@your_public_ip
  6. Install Fail2ban

    7. Fail2ban monitors log files for failed login attempts and automatically blocks the offending IP addresses.

    sudo apt install fail2ban -y
  7. Configure Fail2ban (SSH Jail)

    8. Copy the default SSH jail configuration file:

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    Edit /etc/fail2ban/jail.local using a text editor (e.g., nano):

    sudo nano /etc/fail2ban/jail.local

    Under the [sshd] section, ensure these settings are present and configured:

Save the file.

  • Restart Fail2ban Service

    • Restart Fail2ban to apply the changes:

    sudo systemctl restart fail2ban
  • Check Fail2ban Status

    • Verify that Fail2ban is running and monitoring SSH logs:

    sudo fail2ban-client status sshd

    This will show you the number of currently banned IPs.

  • Optional: Change Default SSH Port

    • Changing the default port (22) can reduce automated attacks. Edit /etc/ssh/sshd_config and change the Port 22 line to a different, non-standard port number (e.g., Port 2222). Remember to update your security group rules in AWS to allow traffic on the new port.

    Exit mobile version