Blocking SSH brute force attempts on Ubuntu

It never takes long for the script kiddies to start once you open up ssh to the interweb. Look in your /var/log/auth.log and I'll bet you find a load of brute force attempts on ssh:

Failed password for invalid user bind from port 50739 ssh2
Failed password for invalid user test from port 50950 ssh2
Failed password for invalid user user from port 51105 ssh2
Failed password for invalid user administrator from port 51254 ssh2

This is a "1337 h4X0r" (read:kiddie) running a dictionary against your ssh server. If you have chosen strong passwords, then you are a bit safer, but there are better ways.

Use certificates instead of passwords

Have a look at the passwordless ssh howto here .If you dont want to switch off passwords, there is another way to block brute force attempts:


This is a script designed to run on your ssh server to block brute force attempts, I really like this approach because you can get it to block ALL traffic from the offending ip - so if someone tries ssh and fails, they can't try anything else from the same ip for a set number of days. This makes it inconvenient, and much easier to try somewhere else. It also logs all the names attempted, so you could use those in your own dictionary should you be so inclined...

Download from

tar zxvf  DenyHosts-2.5.tar.gz # change for whatever version you're using
cd Denyhosts-2.5
sudo python install
cd /usr/share/denyhosts
sudo cp  denyhosts.cfg-dist denyhosts.cfg
sudo vi denyhosts.cfg
# If you are using Ubuntu, your SECURE LOG should be as below, comment out all the others 
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.blocked # We use this instead of hosts.deny so we can use TCPWRAPPERS later
BLOCK_SERVICE = ALL # Not essential, but i prefer just locking the buggers out completely. Be careful of this on web servers etc, you dont want to block an entire internet cafe from browsing your site because of a visiting script kiddie.
PURGE_DENY = 7d # Removes ips from the list after 7 days, adjust to taste - default is never 
LOCK_FILE = /var/run/ #Comment out the other LOCK_FILEs
SYNC_SERVER = #This is a great idea, it lets users around the world share info, so misbehaving ips dont even need to try you to get blocked. Disabled by default.  
#Edit the other settings to taste, the defaults should be fine for most setups, but you might want to lower allowed attempts etc.   
sudo touch /etc/hosts.blocked
sudo vi /etc/hosts.deny
sshd:ALL:spawn python2.4 /usr/bin/ --purge -c /etc/denyhosts.cfg: allow

Job done. Now denyhosts will run each time an ssh login attempt is made, and block anyone who has made multiple login attempts.


The Ubuntu Counter Project - user number # 5498