Erik Rigtorp

Hardening SSH against password brute-force attacks

If your SSH server is publicly accessible over the internet it will be subjected to password brute-force attacks. The best way to protect SSH from these attacks is to disable password authentication. It’s also good to rate limit the number of connection and failed authentication attempts.

Disable password authentication by adding the following line to /etc/ssh/sshd_config:

AuthenticationMethods publickey

Rate limit connection attempts by adding a firewall rule:

$ sudo ufw limit OpenSSH

Rate limit failed authentication attempts using fail2ban.

References