SSH Brute Force Protection · 15 Detection Patterns

SSH brute force protection
for Linux servers

SSH is the #1 attack vector for Linux servers. Defensia monitors auth.log in real time and blocks attackers within seconds — before they find a working password.

Block SSH attacks now →
auth.log — active SSH attack in progress

Mar 13 03:14:01 srv sshd[4821]: Failed password for root from 185.220.101.7 port 43992 ssh2

Mar 13 03:14:02 srv sshd[4821]: Failed password for root from 185.220.101.7 port 43993 ssh2

Mar 13 03:14:03 srv sshd[4822]: Invalid user admin from 185.220.101.7

Mar 13 03:14:04 srv sshd[4823]: Invalid user ubuntu from 185.220.101.7

Mar 13 03:14:05 srv sshd[4824]: Failed password for postgres from 185.220.101.7

→ Defensia: 185.220.101.7 scored +25 pts → ban triggered (82 pts total)

→ ipset add defensia-bans 185.220.101.7 — blocked in 12ms

15 SSH detection patterns

Each pattern can be enabled/disabled per server from the dashboard — no agent restart required.

Auth Failures (9 patterns)

  • Failed password for existing user
  • Failed password for invalid/non-existent user
  • Invalid user (pre-auth)
  • PAM authentication failure
  • Maximum authentication attempts exceeded
  • Root login refused (PermitRootLogin no)
  • Authentication failures (pam_unix)
  • Repeated login failures from same IP
  • Connection closed by invalid user

Pre-auth Scanning (6 patterns)

  • No identification string received (pre-auth)
  • Bad protocol version identification
  • Unable to negotiate a key exchange method
  • Connection closed before authentication
  • Connection reset by peer (pre-auth)
  • Timeout before authentication for user

Why Defensia blocks SSH attacks faster

Tail + parse, not just count

Defensia understands SSH log semantics. It distinguishes between a real user's failed attempt and a botnet scanning with credential lists.

ipset: 65K+ concurrent bans

fail2ban with iptables caps at ~500 rules. Defensia uses ipset for 65,000+ concurrent bans, then falls back to iptables with FIFO rotation.

Cross-server propagation

When one server bans an IP, all your other servers get the ban instantly via WebSocket. The attacker can't just move to the next target.

🛡

Reserved IPs are never banned

Defensia never bans 127.x, 10.x, 192.168.x, your own server's public IP, or the Defensia API endpoint — even if the backend somehow sends a bad rule. Docker bridge IPs (172.x) are also excluded.

Stop SSH brute force attacks now

Free plan includes full SSH protection. Install in one command.

$ curl -fsSL https://defensia.cloud/install.sh | sudo bash
Create Free Account

Free plan. No credit card required.