SSH Brute Force

A Debian-first guide to detecting, containing, recovering from, and reducing SSH brute force activity on exposed systems.

What this is

SSH brute force attacks happen when an external system repeatedly attempts to log in to your server using different usernames and passwords. This is one of the most common forms of background internet noise against publicly exposed Linux systems.

What it looks like

Repeated login failures
The same IP hitting your server over and over
Multiple usernames being attempted

Detect

Check recent SSH activity

sudo journalctl -u ssh --since "1 hour ago"

Look for failed logins

sudo grep "Failed password" /var/log/auth.log

Count repeated attempts by source IP

sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr

If you see the same IP repeatedly, you are likely being targeted.

Contain

Block a known malicious IP

sudo ufw deny from <IP_ADDRESS>

Check UFW status

sudo ufw status numbered

Recover

Verify no successful password access occurred

sudo grep "Accepted password" /var/log/auth.log

Check for unexpected users

cut -d: -f1 /etc/passwd

If anything looks suspicious, review user accounts, rotate credentials, inspect SSH configuration, and check for persistence or unauthorized changes.

Prevent

There is no single solution. Use multiple defensive layers depending on your environment.

Option 1 — Disable password authentication

sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no

Then restart SSH:

sudo systemctl restart ssh

This removes the ability to brute force passwords entirely.

Option 2 — Use SSH keys only

ssh-copy-id user@server_ip

SSH keys are stronger than passwords and resistant to brute force attempts.

Option 3 — Install Fail2Ban

sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo fail2ban-client status

This can automatically block repeated failed login attempts.

Option 4 — Reduce exposure

If SSH is not needed publicly:

sudo ufw deny 22

Or restrict access to a trusted IP:

sudo ufw allow from <your_ip> to any port 22

Optional Tools & Hosting

Everything above can be done manually using built-in Debian tools, which is often the best choice for control, privacy, and cost efficiency.

Over time, this section may include carefully selected low-cost services or tools that make monitoring, firewall management, or remote administration easier. Any future recommendations will be kept practical, privacy-conscious, and relevant to the specific problem being discussed.

For now, the manual Debian-based workflow remains the primary recommendation.

Notes

Brute force attempts are normal on any exposed server.
Blocking one IP does not stop other scanners.
Logs are your most important visibility tool.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.