DEV Community

Cover image for SSH Security: How To Protect Your Server From Brute Force Attacks
Sudhir Bahadure
Sudhir Bahadure

Posted on

SSH Security: How To Protect Your Server From Brute Force Attacks

Introduction

Did you know that 61% of all cyber attacks in 2026 are caused by weak passwords and brute force attacks on servers? By following this tutorial, you will build a secure SSH server that protects your Linux system from such attacks. This matters in 2026 because, with the rise of remote work and cloud computing, the risk of cyber attacks has increased exponentially. To get started, you will need:

  • A Linux distribution (such as Ubuntu or Arch Linux)
  • A basic understanding of Linux commands and SSH
  • A computer or virtual machine with internet access

Table of Contents

  1. Introduction
  2. Step 1 — Configure SSH Server
  3. Step 2 — Set Up Public Key Authentication
  4. Step 3 — Limit SSH Access
  5. Step 4 — Install Fail2Ban
  6. Step 5 — Configure Fail2Ban
  7. Real-World Usage
  8. Real-World Application
  9. Conclusion
  10. Your Turn

Step 1 — Configure SSH Server

Configuring the SSH server is the first step in securing your Linux system. This step matters because it sets the foundation for all subsequent security measures. To configure the SSH server, run the following command:

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

This will open the SSH configuration file in the nano editor. Update the file to include the following lines:

Port 2222
PermitRootLogin no
X11Forwarding no
Enter fullscreen mode Exit fullscreen mode

Save and close the file, then restart the SSH service:

sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

Expected output:

ssh restart done
Enter fullscreen mode Exit fullscreen mode

Step 2 — Set Up Public Key Authentication

Public key authentication is a secure way to access your SSH server without using passwords. This step matters because it eliminates the risk of brute force attacks on your password. To set up public key authentication, generate a public-private key pair on your local machine using the following command:

ssh-keygen -t rsa -b 4096
Enter fullscreen mode Exit fullscreen mode

This will create a public-private key pair in the ~/.ssh directory. Copy the public key to your SSH server using the following command:

ssh-copy-id -p 2222 user@server-ip
Enter fullscreen mode Exit fullscreen mode

Replace user with your username and server-ip with your server's IP address.

Step 3 — Limit SSH Access

Limiting SSH access is crucial to prevent unauthorized access to your server. This step matters because it reduces the attack surface of your server. To limit SSH access, create a new user group and add your user to it:

sudo groupadd sshusers
sudo usermod -aG sshusers user
Enter fullscreen mode Exit fullscreen mode

Replace user with your username. Then, update the SSH configuration file to only allow access to members of the sshusers group:

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Add the following line to the file:

AllowGroups sshusers
Enter fullscreen mode Exit fullscreen mode

Save and close the file, then restart the SSH service:

sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

Step 4 — Install Fail2Ban

Fail2Ban is a software that monitors your server's logs for signs of brute force attacks and bans the offending IP addresses. This step matters because it provides an additional layer of security against attacks. To install Fail2Ban, run the following command:

sudo pacman -S fail2ban
Enter fullscreen mode Exit fullscreen mode

On Arch Linux, or

sudo apt-get install fail2ban
Enter fullscreen mode Exit fullscreen mode

on Ubuntu-based systems.

Step 5 — Configure Fail2Ban

Configuring Fail2Ban is essential to ensure it works correctly. This step matters because it sets up the rules for banning IP addresses. To configure Fail2Ban, create a new configuration file:

sudo nano /etc/fail2ban/jail.local
Enter fullscreen mode Exit fullscreen mode

Add the following lines to the file:

[ssh]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Enter fullscreen mode Exit fullscreen mode

Save and close the file, then restart the Fail2Ban service:

sudo systemctl restart fail2ban
Enter fullscreen mode Exit fullscreen mode

Expected output:

fail2ban restart done
Enter fullscreen mode Exit fullscreen mode

Real-World Usage

Now that you have set up a secure SSH server, you can use it to access your server from anywhere. For example, you can use the following command to connect to your server:

ssh -p 2222 user@server-ip
Enter fullscreen mode Exit fullscreen mode

Replace user with your username and server-ip with your server's IP address.

Real-World Application

This secure SSH server setup can be used in various real-world scenarios, such as:

  • Hosting a web application on a cloud server, where security is crucial to prevent data breaches. Consider using a VPN service like NordVPN (68% off + 3 months free) to add an extra layer of security.
  • Creating a remote development environment, where multiple developers need to access the server securely. You can host your server on a cloud platform like Vultr Cloud (Get $100 free credit to host your apps) and use the secure SSH setup to access it.

Conclusion

In this tutorial, you have built a secure SSH server that protects your Linux system from brute force attacks. The three key takeaways from this tutorial are:

  1. Configuring the SSH server to use a non-standard port and disabling root login.
  2. Setting up public key authentication to eliminate the risk of password-based attacks.
  3. Installing and configuring Fail2Ban to monitor and ban IP addresses that attempt to brute force your server. Next, you can build on this setup by implementing additional security measures, such as two-factor authentication and regular security audits.

💬 Your Turn

Have you automated server security before? What was your approach? Drop it in the comments — I read every one.

💡 Found this helpful?

If this tutorial saved you time or solved a problem, consider:

Support me on Ko-fi

Every coffee keeps me writing free tutorials like this one!


This article was written with AI assistance and reviewed for technical accuracy.
Part of the **Linux & Security Deep Dives* series — Follow for more free tutorials*

#aBotWroteThis

Top comments (0)