Learn how we harden Ubuntu 24.04 servers against brute force attacks using Fail2Ban, CrowdSec, firewall rate limiting, and production-ready security practices.
Brute force attacks are no longer manual or random. Modern attacks are automated, distributed, persistent, and continuously adaptive. Servers exposed to the internet will be tested within minutes of deployment.
This guide explains how we harden Ubuntu 24.04 LTS against brute force attacks using defense-in-depth, focusing on automated detection, behavioral analysis, and enforced blocking at multiple layers. The steps outlined here are suitable for production systems and long-running infrastructure.
Prerequisites
Before we begin, ensure we have the following:
- An Ubuntu 24.04 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Learn how to harden Ubuntu 24.04 against brute force attacks
Step 1: Keep the System and Security Stack Updated
Security hardening starts with ensuring the operating system and authentication components receive timely patches.
sudo apt update
sudo apt upgrade -y
sudo apt autoremove -y
Enable unattended security updates to close newly discovered vulnerabilities automatically.
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
This prevents known brute-force-related weaknesses in SSH, PAM, and system libraries from remaining exploitable.
Step 2: Deploy Fail2Ban for Active Brute Force Mitigation
Fail2Ban remains a reliable first-response mechanism for blocking repeated authentication failures. It monitors logs in real time and enforces temporary bans at the firewall level.
Install Fail2Ban:
sudo apt install fail2ban -y
Create a dedicated configuration file:
sudo nano /etc/fail2ban/jail.local
Recommended baseline configuration:
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3
backend = systemd
[sshd]
enabled = true
Enable and start the service:
sudo systemctl enable fail2ban
sudo systemctl restart fail2ban
Fail2Ban immediately reduces attack pressure by blocking hostile IPs after repeated failures.
Step 3: Enable Fail2Ban Recidive Jail for Persistent Attackers
Advanced attackers rotate IPs or return after temporary bans. The recidive jail escalates penalties for repeat offenders across services.
Add to jail.local:
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
bantime = 7d
findtime = 1d
maxretry = 5
Restart Fail2Ban:
sudo systemctl restart fail2ban
This step is critical for long-lived servers exposed to continuous scanning.
Step 4: Deploy CrowdSec for Behavioral Threat Intelligence
Fail2Ban reacts locally. CrowdSec analyzes behavior patterns and benefits from global threat intelligence shared across thousands of servers.
Install CrowdSec:
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec -y
Install the firewall bouncer:
sudo apt install crowdsec-firewall-bouncer-nftables -y
Verify status:
sudo cscli metrics
CrowdSec detects slow brute force attempts, credential stuffing, and distributed attacks that traditional tools often miss.
Step 5: Enforce Rate Limiting at the Firewall Layer
Rate limiting blocks brute force attempts before they reach authentication services.
Using UFW:
sudo ufw limit ssh
If a custom SSH port is in use:
sudo ufw limit 2222/tcp
This limits repeated connection attempts from the same source and reduces log flooding.
Step 6: Enable and Tune PAM Faillock for Local Authentication Protection
Ubuntu 24.04 uses pam_faillock, not deprecated tools like pam_tally2.
Verify configuration:
sudo nano /etc/security/faillock.conf
Recommended settings:
deny = 3
unlock_time = 1800
fail_interval = 900
This protects against brute force attempts on:
- Local console logins
- sudo authentication
- Automated privilege escalation attempts
Step 7: Reduce Attack Surface by Auditing Exposed Services
Brute force attacks target any exposed authentication service, not only SSH.
List listening ports:
sudo ss -tuln
Disable unnecessary services:
sudo systemctl disable service_name
sudo systemctl stop service_name
Every closed port removes an entire class of brute force vectors.
Step 8: Enable System Auditing for Authentication Events
Auditing provides visibility into failed logins and suspicious behavior.
Install auditd:
sudo apt install auditd audispd-plugins -y
Ensure it is running:
sudo systemctl enable auditd
sudo systemctl start auditd
Audit logs support forensic analysis and compliance requirements in production environments.
Step 9: Monitor and Review Security Events Regularly
Automated protection still requires oversight.
Check Fail2Ban status:
sudo fail2ban-client status
Check CrowdSec decisions:
sudo cscli decisions list
Review authentication activity:
sudo journalctl -u ssh
Consistent monitoring allows early detection of evolving attack patterns.
Final Notes on Brute Force Defense Strategy
Modern brute force defense is not a single configuration change. It is a layered system combining:
- Real-time blocking
- Behavioral analysis
- Rate limiting
- Authentication lockouts
- Continuous visibility
Ubuntu 24.04 provides a stable and secure foundation. When reinforced with tools like Fail2Ban and CrowdSec, it becomes resilient against both opportunistic attacks and sustained automated campaigns.
This approach reflects current best practices used across production Linux environments and aligns with long-term infrastructure security expectations.
