How to Secure Your Dedicated Server Against Brute Force Attacks
Brute force attacks are a common cybersecurity threat where attackers attempt to gain unauthorized access to your server by guessing login credentials. Securing your dedicated server against brute force attacks is essential to protect sensitive data and maintain server performance. This step-by-step guide will help you implement effective measures to defend your server.
Step 1: Use Strong Passwords
One of the simplest and most effective ways to prevent brute force attacks is by using strong, complex passwords.
- Ensure your root and user account passwords are at least 12 characters long.
- Use a mix of uppercase and lowercase letters, numbers, and special characters.
- Avoid using dictionary words or easily guessable information like names or dates.
You can generate strong passwords using tools like:
openssl rand -base64 14
Step 2: Change the Default SSH Port
Attackers commonly target the default SSH port (22). Changing this port makes your server a less obvious target.
- Edit the SSH configuration file:
nano /etc/ssh/sshd_config - Locate the line:
Uncomment it and change the port number to a non-standard one (e.g., 2222):#Port 22Port 2222 - Save the file and restart the SSH service:
systemctl restart sshd
Step 3: Limit Login Attempts
Limiting the number of failed login attempts can help block brute force attacks.
- Install Fail2Ban (a popular intrusion prevention tool):
apt install fail2ban # For Debian/Ubuntu yum install fail2ban # For CentOS/RHEL - Configure Fail2Ban by editing its jail configuration file:
nano /etc/fail2ban/jail.local - Add rules for SSH:
[sshd] enabled = true port = 2222 filter = sshd logpath = /var/log/auth.log maxretry = 5 - Save the file and restart Fail2Ban:
systemctl restart fail2ban
Step 4: Enable Two-Factor Authentication (2FA)
Two-factor authentication adds an additional layer of security to your server.
- Install the Google Authenticator PAM module:
apt install libpam-google-authenticator # For Debian/Ubuntu yum install google-authenticator # For CentOS/RHEL - Run the setup for the root account:
google-authenticator - Follow the prompts to generate a QR code and secret key.
- Edit the SSH configuration file to enable 2FA:
nano /etc/pam.d/sshd - Add the following line:
auth required pam_google_authenticator.so - Restart the SSH service:
systemctl restart sshd
Step 5: Use a Firewall to Block Unwanted Traffic
Configure your firewall to allow only trusted IPs and block suspicious traffic.
- Use a firewall tool like UFW or firewalld.
- Allow trusted IPs and SSH port:
ufw allow from <trusted-ip> to any port 2222 # OR firewall-cmd --add-rich-rule="rule family='ipv4' source address='<trusted-ip>' port port=2222 protocol=tcp accept" firewall-cmd --reload
Step 6: Implement IP Blacklisting
Block IP addresses that repeatedly attempt to log in to your server.
- Monitor login attempts in logs:
cat /var/log/auth.log | grep "Failed password" - Use the firewall to block suspicious IPs:
ufw deny from <suspicious-ip> # OR firewall-cmd --add-rich-rule="rule family='ipv4' source address='<suspicious-ip>' reject" firewall-cmd --reload
Step 7: Disable Root Login via SSH
Prevent attackers from targeting the root account directly.
- Edit the SSH configuration file:
nano /etc/ssh/sshd_config - Locate the line:
PermitRootLogin yes - Change it to:
PermitRootLogin no - Save the file and restart SSH:
systemctl restart sshd
Step 8: Regularly Monitor and Update Your Server
Keeping your server updated ensures it is protected against known vulnerabilities.
- Update your server packages regularly:
apt update && apt upgrade # For Debian/Ubuntu yum update # For CentOS/RHEL - Monitor login attempts and server logs:
tail -f /var/log/auth.log
By following these steps, you can effectively secure your dedicated server against brute force attacks. Regularly monitoring your server and staying vigilant will ensure that your data and resources remain safe.
