SSH Protection Techniques

Even with password authentication disabled and SSH keys required, there are additional techniques to protect your SSH service from being a target of attacks, reduce noise in your logs, and detect intrusion attempts early. These techniques are complementary to the basic hardening in sshd_config and address the persistent automated attack traffic that every internet-facing SSH server receives.

What attacks SSH faces

Attack types against SSH:
  Brute force / credential stuffing:
    - Automated bots try thousands of username/password combos
    - Defense: key-only auth, fail2ban, rate limiting

  Vulnerability exploitation:
    - CVEs in OpenSSH itself (rare, patch quickly)
    - Defense: keep openssh-server updated

  Man-in-the-middle:
    - Attacker intercepts connection before first connection accepted
    - Defense: verify host key fingerprints on first connect

  Insider/compromised key:
    - Legitimate key stolen or used by unauthorized person
    - Defense: rotate keys, monitor login times/locations, 2FA

Rate limiting at the firewall

# UFW rate limiting (allow max 6 connections per 30 seconds per IP)
sudo ufw limit ssh

# iptables rate limiting with hashlimit (more control):
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW   -m hashlimit --hashlimit 3/min --hashlimit-burst 5   --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

# Allow SSH only from specific IP ranges (strongest protection):
# Remove general SSH allow
sudo ufw delete allow ssh

# Allow only from your corporate IP range:
sudo ufw allow from 203.0.113.0/24 to any port 22
sudo ufw allow from 192.168.0.0/16 to any port 22

Port knocking

# Port knocking: SSH port stays closed unless you "knock" specific ports first
# From outside, port 22 appears closed — SSH only opens after the knock sequence

sudo apt install -y knockd

sudo nano /etc/knockd.conf

/etc/knockd.conf

[options]
    Interface = ens3

[openSSH]
    sequence    = 7000,8000,9000    # Knock ports in this order
    seq_timeout = 5                  # Must complete within 5 seconds
    command     = /usr/sbin/ufw allow from %IP% to any port 22
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 5
    command     = /usr/sbin/ufw delete allow from %IP% to any port 22

# Knock from client:
knock -v SERVER_IP 7000 8000 9000    # Opens SSH
ssh irfan@SERVER_IP                  # Connect
knock -v SERVER_IP 9000 8000 7000    # Close SSH again

💡 TIP: Port knocking adds a layer of obscurity that significantly reduces automated attack noise. However, it is not a substitute for key-based authentication — if an attacker captures the knock sequence via packet sniffing, they can replay it. Use port knocking in addition to, not instead of, proper SSH hardening.

Geoblocking SSH access

# If your server only needs to be accessed from specific countries:
# Using xtables-addons with GeoIP database

sudo apt install -y xtables-addons-common
# Download MaxMind or DBip database and configure

# Alternative: Use ipset with country IP ranges
# This is complex to maintain — consider cloud-provider security groups
# which offer geoblocking at the network edge (AWS Security Groups, etc.)

# Simpler approach: whitelist your office/home IPs in UFW
sudo ufw allow from MY_HOME_IP to any port 22
sudo ufw allow from OFFICE_SUBNET to any port 22

Monitoring SSH attacks

# Watch failed authentication attempts in real time
sudo journalctl -u ssh -f | grep "Failed\|Invalid\|Disconnected"

# Summary of attack IPs
sudo journalctl -u ssh --since "24 hours ago" |   grep "Failed\|Invalid" | awk '{print $(NF)}' | sort | uniq -c | sort -rn | head -20

# Geographic distribution of attacks (requires geoiplookup)
sudo apt install -y geoip-bin
sudo journalctl -u ssh --since "today" |   grep "Failed password" | awk '{print $(NF-3)}' |   while read ip; do geoiplookup "$ip" 2>/dev/null; done |   awk -F': ' '{print $2}' | sort | uniq -c | sort -rn | head -10

Conclusion

The protection hierarchy for SSH: (1) key-only authentication eliminates password brute force, (2) fail2ban reduces automated attack noise, (3) UFW rate limiting or IP whitelisting reduces attack surface, (4) port knocking hides SSH from automated scanners. Monitor attack patterns with journalctl -u ssh — understanding who is attacking and how helps you make informed decisions about which additional layers to implement. The goal is not to make SSH impossible to attack (it is not), but to make your specific server a poor target compared to easier ones.

FAQ

Is SSH Protection Techniques important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support