Login Start for free
Login Start for free
Blog / Others/ How to Detect SSH Brute-Force Attacks and Change the SSH Port for Better Security

How to Detect SSH Brute-Force Attacks and Change the SSH Port for Better Security

2014-01-05 · Ryan · Post Comment

The default SSH port (22) is a common target for hackers and automated scripts attempting brute-force attacks. To enhance server security, it's recommended to regularly check login logs and consider changing the default SSH port. This article explains how to detect attack attempts and securely modify the SSH port.

Detecting SSH Login Failures

You can analyze the /var/log/secure (RHEL/CentOS) or /var/log/auth.log (Debian/Ubuntu) log files to view failed SSH login attempts and their source IP addresses.

The following command counts and lists the IP addresses with the most failed attempts:

cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1" times"}'

If you see numerous failures from specific IPs, your server is likely under a brute-force attack. Besides changing the port, consider using tools like Fail2ban for active defense.

Changing the Default SSH Port (CentOS/RHEL 7+ Example)

Important: Before changing the port, ensure you have an alternative access method (e.g., console) in case of configuration errors.

Step 1: Edit the SSH Configuration File

Open the SSH configuration file with a text editor:

sudo vi /etc/ssh/sshd_config

Find the line #Port 22. For a smooth transition, add a new port instead of directly modifying port 22.

#Port 22
Port 12449

Explanation:

  • Uncomment Port 22 (remove the #) and keep it, while adding a new port (e.g., 12449). This makes the SSH service listen on both port 22 and the new port.
  • Port numbers range from 0-65535; choose a non-well-known port between 1024-65535 to avoid conflicts with common services.

Step 2: Configure the Firewall (If Enabled)

If a firewall (e.g., firewalld or iptables) is enabled, you must allow the new SSH port.

For firewalld (default on CentOS/RHEL 7+):

sudo firewall-cmd --permanent --add-port=12449/tcp
sudo firewall-cmd --reload

For iptables (older systems):

Edit the iptables rules file (e.g., /etc/sysconfig/iptables) and add a rule:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 12449 -j ACCEPT

Then restart the iptables service:

sudo systemctl restart iptables  # or sudo service iptables restart

Step 3: Restart SSH and Test the New Port

Restart the SSH service to apply the changes:

sudo systemctl restart sshd  # or sudo service sshd restart

After restarting, do not close your current connection. Open a new terminal and test connecting with the new port:

ssh -p 12449 username@your_server_ip

If the new port connection succeeds, proceed to the next step.

Step 4: Disable the Default Port 22

Once the new port is confirmed working, return to the SSH configuration file, comment out (or delete) the Port 22 line, leaving only the new port:

#Port 22
Port 12449

Restart the SSH service again:

sudo systemctl restart sshd

SSH will now listen only on the new port, and port 22 is closed.

Security Recommendations

  • Use Key Authentication: Disable password login entirely and use SSH key pairs for higher security.
  • Restrict Root Login: Set PermitRootLogin no in sshd_config to prevent direct root login.
  • Use Fail2ban: A tool that automatically blocks IP addresses after multiple failed attempts.
  • Keep Systems Updated: Regularly update your system and software.

Following these steps can significantly reduce the risk of SSH brute-force attacks and improve overall server security.

Post a Comment

Your email will not be published. Required fields are marked with *.