DEV Community

Cover image for How to Use Snort on Ubuntu Dedicated Servers to Detect SSH Brute-Force Attacks
Nyra Amsi
Nyra Amsi

Posted on • Originally published at servers99.com

How to Use Snort on Ubuntu Dedicated Servers to Detect SSH Brute-Force Attacks

SSH brute-force attacks are among the most common threats targeting Linux dedicated servers. Attackers use automated tools to repeatedly attempt username and password combinations in an effort to gain unauthorized access. Even when login attempts fail, excessive authentication requests can clutter logs, consume resources, and make it harder to identify legitimate security events.

While traditional firewalls can block unwanted traffic, they often do not provide detailed visibility into suspicious connection patterns. This is where Snort can help.

⚠️ Note: This guide uses Snort 2 from the official Ubuntu repositories for a quick, beginner-friendly setup. For Snort 3, a manual source compilation is required.

The Problem
Consider a dedicated server that exposes SSH on port 22 for remote administration. Over time, the server may receive:

  • Automated login attempts from unknown IP addresses
  • Credential stuffing attacks
  • Bot-driven password guessing campaigns
  • Large volumes of connection attempts from multiple sources

Although SSH logs record these events, manually reviewing log files can be time-consuming, especially on busy servers. A network intrusion detection system such as Snort can monitor traffic in real-time and generate alerts whenever suspicious SSH activity is detected.

Prerequisites

Before starting, ensure you have:

  • Ubuntu 24.04 LTS
  • Root or sudo access
  • A dedicated server with SSH enabled
  • Internet connectivity for package installation

Update the system first:

sudo apt update && sudo apt upgrade -y
Enter fullscreen mode Exit fullscreen mode

Step 1: Install Snort

Install Snort directly from the standard Ubuntu repositories:

sudo apt install snort -y
Enter fullscreen mode Exit fullscreen mode

⚠️ Note: During installation, you may be prompted to enter your network interface and IP range.

Verify the installation:

snort -V
Enter fullscreen mode Exit fullscreen mode

You should see version information confirming that Snort (version 2.9.x) is installed successfully.

Step 2: Identify Your Network Interface

List your available network interfaces:

ip addr
Enter fullscreen mode Exit fullscreen mode

You will see output containing names like eth0, ens3, or ens18. Make a note of the interface connected to the public network.

Step 3: Configure Snort

Open the main Snort configuration file:

sudo nano /etc/snort/snort.conf
Enter fullscreen mode Exit fullscreen mode

Locate the network variable section. Look for ipvar HOME_NET and set it to your server's IP subnet, or for broad monitoring:

ipvar HOME_NET any
Enter fullscreen mode Exit fullscreen mode

Save the file and exit the editor.

Step 4: Create a Local Rule File

Ensure the rules directory exists (it usually does by default):

sudo mkdir -p /etc/snort/rules
Enter fullscreen mode Exit fullscreen mode

Open the local rules file to add your custom alert:

sudo nano /etc/snort/rules/local.rules
Enter fullscreen mode Exit fullscreen mode

Step 5: Create a Brute-Force Detection Rule
To accurately detect a brute-force attack (and avoid flooding your logs with normal SSH logins), we need to use a threshold (or detection filter). This tells Snort to only trigger an alert if a single IP address makes too many connection attempts within a short timeframe.

Add the following rule:

alert tcp any any -> $HOME_NET 22 (msg:"Possible SSH Brute Force Attack Detected"; flags:S; detection_filter:track by_src, count 5, seconds 60; sid:1000001; rev:1;)
Enter fullscreen mode Exit fullscreen mode

How this rule works:

  • flags:S; looks for the initial connection attempt (SYN packet).
  • detection_filter:track by_src, count 5, seconds 60; ensures an alert is ONLY generated if the same source IP attempts to connect more than 5 times within 60 seconds.

Save the file.

Step 6: Load the Rule

Ensure Snort knows to look at your local rules. Open the configuration file again:

sudo nano /etc/snort/snort.conf
Enter fullscreen mode Exit fullscreen mode

Add or ensure this line is uncommented:

include $RULE_PATH/local.rules
Enter fullscreen mode Exit fullscreen mode

Validate the configuration to ensure there are no syntax errors:

sudo snort -T -c /etc/snort/snort.conf
Enter fullscreen mode Exit fullscreen mode

A successful validation output indicates that Snort can load the rule correctly.

Step 7: Start Snort

Run Snort in alerting mode. Replace eth0 with your actual network interface noted in Step 2:

sudo snort -i eth0 -c /etc/snort/snort.conf -A console
Enter fullscreen mode Exit fullscreen mode

⚠️ Note: Using -A console will print alerts directly to your screen. For background logging in production, use -A fast.

Step 8: Generate Test Traffic

From another system, initiate multiple SSH connections rapidly to trigger the threshold:

for i in {1..6}; do ssh -o ConnectTimeout=1 user@server-ip; done
Enter fullscreen mode Exit fullscreen mode

Snort will detect the rapid connection attempts and output an alert:

[**] [1:1000001:1] Possible SSH Brute Force Attack Detected [**]
Enter fullscreen mode Exit fullscreen mode

Understanding the Results
By using a detection filter, your alerts will specifically highlight high-frequency connection attempts rather than normal administrator logins. Not every alert represents a successful compromise, but it provides visibility into aggressive automated bot activity.

Reducing False Positives

To improve server security:

  • Restrict SSH access to trusted IP addresses only.
  • Change SSH to key-based authentication and disable password logins.
  • Adjust the count and seconds in your Snort rule based on your server's normal traffic baseline.

Why Snort Is Useful on Dedicated Servers

Dedicated servers often host websites, APIs, databases, and remote management services that are continuously exposed to the internet. Snort provides:

  • Real-time network monitoring
  • Intrusion detection capabilities
  • Custom alert rules with rate-limiting
  • Unmatched traffic visibility

By identifying brute-force attempts early, administrators can investigate and respond before minor events develop into larger security incidents.

Conclusion

Monitoring SSH traffic with Snort adds a critical layer of visibility for Ubuntu dedicated servers. Instead of relying solely on standard logs, administrators gain real-time insights into aggressive network behavior.

This proactive approach becomes especially important for servers running public-facing services, where continuous exposure to automated scanning is common. Robust network monitoring is highly suitable for enterprise-grade dedicated server setups, ensuring stable performance and secure deployments.

A layered security approach is always recommended, including:

  • A properly configured firewall (UFW or equivalent)
  • Strong SSH authentication using key-based access
  • Intrusion detection tools such as Snort
  • Automated protection tools like Fail2Ban
  • Regular system and package updates

When these components are implemented together, the server becomes significantly more resilient against common network-based attacks while maintaining full control and visibility for administrators.

Top comments (0)