How to secure ubuntu server from bruteforce ssh attacks?

There are different solutions. The best one is using RSA authentication that uses public/private keys to authenticate users.

Check this great manual for different approaches (RSA authentication included): http://www.la-samhna.de/library/brutessh.html

I'm using the 3rd solution on my server because I don't want to make it complicated for my non-technical users: using iptables to limit the number of connections per minute that makes bruteforce attacks inefficient and ineffective.

Here is the solution I'm using:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

As mentioned here: this will allow three port 22 connections from any given IP address within a 60 second period, and require 60 seconds of no subsequent connection attempts before it will resume allowing connections again. The --rttl option also takes into account the TTL of the datagram when matching packets, so as to endeavour to mitigate against spoofed source addresses.

As stated in the mentioned guide, it's better to use a white list to separate trusted users from these rules:

iptables -N SSH_WHITELIST

then add trusted hosts:

iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT

and after that make the rules:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

I get brute-force ssh attacks on my servers with a rate of 1 to 2 per day. I have installed denyhosts (ubuntu package: denyhosts). It's a very simple but effective tool for that purpose: essentially it periodically scans your logs to detect brute-force attacks and puts IPs from where these attacks originate into your /etc/hosts.deny file. You won't hear from them again and your load should be reduced considerably. It is very configurable via its config file /etc/denyhosts.conf to tweak issues like how many wrong attempts consitute an attack etc.

Due to its transparent workings you can easily see what's going on (email notification: 'aha, another dastardly attack thwarted!') and undo mistakes due to your users mistyping their passwords repeatedly .

Of course, everything previously said about switching to other authentication methods holds but sometimes your requirements disagree with those of your users.

Also, new-connection rate limiting in iptables might be a better choice then denying access via hosts.deny. So, have a look at fail2ban as well. But if you know that ssh brute-force is your main concern (manually look through /var/log/auth.log to determine this), go with this very easy and low impact tool.


  1. Change the sshd port to something nonstandard
  2. Use knockd to implement a port-knocking system
  3. Use iptables' recent and hashlimit matches to limit consecutive SSH attempts
  4. Do not use passwords, but use SSH keys instead