Brute force attacks are common security threats for Linux VPS servers, where attackers attempt to guess login credentials by trying multiple password combinations. These attacks can lead to server access, data compromise, and even complete system takeover. Protecting your VPS from such attacks is essential to ensure data security and server performance. This guide outlines various methods to secure your VPS against brute force attacks using firewalls, authentication strategies, and security tools.
What is Brute Force Attack
A brute force attack is a hacking method where attackers attempt to gain access to a system, account, or network by systematically trying all possible combinations of passwords or encryption keys until the correct one is found. This approach relies on sheer computing power and repetition to “force” entry, often targeting accounts with weak or common passwords. Brute force attacks can be time-consuming and resource-intensive. But they can succeed if security measures are inadequate, potentially exposing sensitive data or allowing unauthorized access to systems.
How to Identify Brute Force Attack?
To identify brute force attack, you can look for specific patterns and unusual behaviors in your server logs and monitor system activity. Here are some common indicators:
-> Repeated Failed Login Attempts: Check authentication logs (e.g., /var/log/auth.log on Ubuntu/Debian or /var/log/secure on CentOS/RHEL) for multiple failed login attempts in a short period. This often indicates an automated script trying different credentials.
-> Unusual IP Activity: Frequent login attempts from a single or multiple IPs trying to access your server in quick succession could indicate a distributed brute force attack. This is especially noticeable if the IPs originate from unusual locations or regions.
-> High Server Resource Usage: Brute force attacks can spike CPU and memory usage due to the high volume of requests. Monitoring your server’s resource usage can help detect any abnormal load that might correlate with login attempts.
-> Unfamiliar or Unauthorized Accounts: If you detect any unauthorized or unfamiliar accounts being created, this could indicate that a brute force attack was successful in gaining access to your system.
-> Real-Time Intrusion Detection Systems (IDS): Tools like Fail2Ban and OSSEC can detect and alert you to potential brute force attacks by monitoring logs for specific patterns of failed logins and blocking offending IPs.
Monitoring these indicators and setting automated alerts enables prompt identification and response to brute force attacks on your server.
How to prevent Brute Force Attack??
Enable any Firewall
To help protect your server from brute force attacks, enabling a firewall is an essential first step. A firewall like UFW or FirewallD limits access to specific ports and restricts IPs with excessive failed connection attempts. By allowing only trusted IP addresses and setting rate limits on services like SSH, a firewall reduces the risk of unauthorized login attempts. Additionally, pairing a firewall with tools like Fail2Ban strengthens your defenses by blocking IPs that show patterns of brute force activity, further safeguarding your system.
Install and Configure Fail2Ban
Fail2Ban protects servers from brute force by monitoring logs for repeated failed logins and blocking offending IPs automatically. When an IP address attempts too many unsuccessful logins within a specified timeframe, Fail2Ban detects this pattern as a possible brute force attack and bans the IP, temporarily or permanently, based on your configuration. Fail2Ban’s automated response minimizes unauthorized access risk, maintaining server integrity with dynamic, rule-based security. This tool complements firewalls, providing an additional layer of automated defense against brute force attacks.
Install Fail2ban
sudo apt install fail2ban -y // For Debian/Ubuntu
sudo yum install epel-release -y // For CentOS/RHEL
sudo yum install fail2ban -y
Configuring Fail2Ban
Copy the default configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local to enable SSH protection and set ban parameters:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
bantime = 3600
Restart Fail2Ban:
sudo systemctl restart fail2ban
Fail2Ban monitors logs for repeated failed login attempts and blocks IP addresses that exceed allowed attempts.
Disable Root Login and Use SSH Key Authentication
Disabling root login and using SSH key authentication significantly enhance server security against brute force attacks. Disabling root login prevents attackers from targeting the highest-privilege account, reducing unauthorized access even during brute force attempts. SSH key authentication adds an extra layer of security because it requires a unique, cryptographic key pair instead of a password, which is nearly impossible to guess or brute-force. Without root access and with SSH keys in place, attackers are forced to bypass a much more complex security barrier, effectively lowering the risk of successful brute force attacks on your server. To know detail steps to disable root login and ssh key authentication, kindly refer this article .
Change the Default SSH Port
Changing the default SSH port from 22 to a non-standard port helps protect against brute force attacks by hiding your server’s entry point. Automated brute force attacks often target default ports, as attackers assume common configurations for efficiency. When SSH operates on a different port, attackers must first identify the port in use, which adds a significant obstacle. This method, known as “security through obscurity,” doesn’t make your server immune to brute force but reduces its visibility, decreasing the frequency of random or automated attacks. Changing the SSH port, combined with other security measures like firewalls and authentication protocols, strengthens your server’s overall security posture by making it less accessible to unsophisticated and automated attack scripts.
To change the default SSH port, edit the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Change the Port directive to a port number of your choice, e.g., Port 3147
port 3147Save the file and restart SSH:
sudo systemctl restart ssh
Ensure your firewall allows connections to the new port.
Enable Two-Factor Authentication (2FA)
Enabling Two-Factor Authentication (2FA) significantly strengthens defense against brute force attacks by requiring not only a password but also a second form of verification, usually a one-time code generated on a personal device. This means that even if an attacker manages to guess or brute-force the password, they would still need access to the second factor, which is typically unique and time-sensitive. By adding this extra layer, 2FA reduces the likelihood of unauthorized access through brute force, as attackers are highly unlikely to have both the password and the second authentication factor.
To enable Two-factor Authentication, Kindly refer this article.
Conclusion
Securing your Linux VPS against brute force attacks is crucial to maintain system integrity and data confidentiality. Implementing these strategies—firewall configuration, Fail2Ban, SSH key authentication, non-default ports, and 2FA—can greatly enhance your server’s security. Regular monitoring and updates to your VPS’s security setup are also essential to stay protected against evolving threats.
Also Reads:
Disabling Root Login and Creating a Sudo User for Strengthening VPS Security
Setting up Google 2 Factor Authentication for OpenSSH
