Simulate a real-world SSH brute-force threat scenario and implement defensive controls to reduce attack surface and automatically block malicious login attempts.
- Ubuntu Server (VirtualBox VM)
- OpenSSH
- UFW (Uncomplicated Firewall)
- Fail2Ban
- Secondary machine used to simulate attack traffic
Public-facing SSH services are frequently targeted by automated brute-force attacks attempting credential compromise. This lab simulates that scenario and implements defensive controls including:
- SSH hardening
- Firewall configuration
- Log-based intrusion detection and automated IP banning
- Installed Ubuntu Server on a VM for server hardening simulation
- Found SSH not preinstalled on the OS, so I updated package repositories, installed SSH, started SSH, and confirmed that it was running.
Commands used:
sudo systemctl status ssh
sudo apt update && sudo apt install openSSH-server -y
sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl status ssh
- Disabled root login by uncommenting the line and changing 'PermitRootLogin' to no
- Changed default port from 22 to 2222
Commands used:
sudo nano /etc/ssh/sshd_config
Commands used:
sudo systemctl restart ssh- Confirmed that ufw is installed on the machine
- Opened port 2222 to TCP connections
Commands used:
sudo apt install ufw -y
sudo ufw allow 2222/tcp
sudo ufw enable
sudo ufw status
- Configured fail2ban for SSH
Commands used:
sudo apt install fail2ban -y
sudo systemctl status fail2ban
sudo nano /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
- Terminal was hanging at login, so I went back to the server VM to ensure that ufw has port 2222 open and that SSH is listening on the correct port (2222)
- Found that SSH was not listening on port 2222 as intended
- Used nano to confirm that the SSH config changes had been committed
- Restarted SSH to apply config changes
- Confirmed SSH is now listening on port 2222
Commands used:
sudo ufw status
sudo ss -tulpn | grep ssh
sudo nano /etc/ssh/sshd_config
sudo systemctl restart ssh
sudo systemctl status ssh
- Attempted to SSH into the server with the wrong credentials multiple times, from an external machine
- IP banned after 3 failed attempts, as configured
Commands used:
ssh noah@192.168.xxx.xxx -p 2222
Commands used:
sudo fail2ban-client status sshd
- Goal is to view my failed login attempts
Commands used:
sudo cat /var/log/auth.log | grep sshd
Commands used:
sudo ufw status
- Hardened SSH by disabling root login, and changing off of the default port (22)
- Configured firewall to allow our new port
- Implemented intrusion detection with Fail2Ban
- Confirmed automated IP banning is working correctly
- Reviewed logs