SSH Brute Force Attack Detection

AuthenticationAttacks Linux Auth Brute Force

What This Means

Detect and respond to SSH brute force attacks by analyzing auth.log patterns. Learn to identify automated password guessing, block attackers, and harden your SSH configuration.

Example Log

Mar  8 14:22:31 webserver sshd[12345]: Failed password for root from 185.220.101.42 port 58321 ssh2
Mar  8 14:22:33 webserver sshd[12346]: Failed password for root from 185.220.101.42 port 58322 ssh2
Mar  8 14:22:35 webserver sshd[12347]: Failed password for admin from 185.220.101.42 port 58323 ssh2
Mar  8 14:22:37 webserver sshd[12348]: Failed password for invalid user test from 185.220.101.42 port 58324 ssh2
Mar  8 14:22:39 webserver sshd[12349]: Failed password for invalid user oracle from 185.220.101.42 port 58325 ssh2

Indicators of Suspicious Activity

Multiple "Failed password" entries from the same IP in rapid succession
Attempts against root, admin, and common service account names
"Invalid user" messages indicating the attacker is guessing usernames
Connections from known malicious IP ranges or Tor exit nodes
Attack frequency of multiple attempts per second
Attempts occurring around the clock, not limited to business hours

How to Investigate

Parse auth.log and group failed password attempts by source IP
Check the IP against threat intelligence and abuse databases (AbuseIPDB, Shodan)
Determine which usernames are being targeted (root, admin, common names)
Check if any attempts succeeded by searching for "Accepted password" from the same IP
Review the attack timeline to understand the attack duration and intensity
Check if the same IP is attacking other services (HTTP, FTP, SMTP)

Recommended Mitigations

Disable root login via SSH (PermitRootLogin no in sshd_config)
Switch to SSH key-based authentication and disable password auth (PasswordAuthentication no)
Deploy fail2ban with aggressive SSH rules (ban after 3 failures for 24 hours)
Change the SSH port from 22 to a non-standard port to reduce noise
Implement IP allowlisting for SSH access via firewall rules
Use port knocking or VPN as a prerequisite for SSH access

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 8 + 4?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

How do I detect an SSH brute force attack? ▼

Monitor /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS) for multiple Failed password entries from the same IP. More than 5 failures per minute from one IP is a strong indicator.

What is the best way to stop SSH brute force attacks? ▼

The most effective approach is to disable password authentication entirely and use SSH keys. Combined with fail2ban and firewall rules, this eliminates brute force as a viable attack vector.

How do I configure fail2ban for SSH? ▼

Install fail2ban, then edit /etc/fail2ban/jail.local. Set [sshd] enabled=true, maxretry=3, bantime=86400 (24 hours), findtime=600. Restart fail2ban to activate.