How do I stop bruteforce SSH login attempt?

Al Gordon runlevel7 at
Wed Apr 12 19:41:06 UTC 2006

On 4/12/06, Soo-Hyun Choi <s.choi at> wrote:
> Hi,
> A few days ago, I have noticed that my system is under constant
> attack(?) with a bruteforce SSH login - e.g., from a single IP
> address, it tries like 100 ~ 200 ssh login trial with all different
> user names, and go away.
> I know how to block it in a FreeBSD system with "denyhost" or
> "bruteforceblocker" from the ports, but I have little knowledge in my
> Ubuntu 5.10 box.
> Would there be anyone who could tell me something about it?
> Thank you.
> Soo-Hyun

Another solution, in addition to the ones you've received.  I like
this one because it's easy to implement:

First, do this:
sudo apt-get install libpam-modules

Then, add the following 2 lines to /etc/pam.d/ssh:

auth required onerr=fail no_magic_root
account required onerr=fail deny=3 no_magic_root
even_deny_root_account reset

sudo /etc/init.d/ssh restart

Now, any account that is attacked is automatically locked after 3
failed remote login attempts.

Pros to this solution: It's quick and easy to implement
Cons to this solution: It allows someone (including yourself) to deny
you access to your own account by attempting to login 3 times with bad
credentials.  If an account is locked, you have to login at the
console to unlock it.


  -- AL --

More information about the ubuntu-users mailing list