My Account | Help | Blog
You are here: Home / News / Security, Servers Management / How to Secure SSH with CSF and Fail2Ban on Your Linux Server

How to Secure SSH with CSF and Fail2Ban on Your Linux Server

Security, Servers Management 0 2 days ago

SSH (Secure Shell) is the backbone of server administration — but it’s also a prime target for brute-force attacks and unauthorized access attempts. To harden your server’s SSH access, you can use CSF (ConfigServer Security & Firewall) along with Fail2Ban.

Together, they create a layered defense system that monitors login attempts, blocks attackers, and secures your server against intrusion.

🛡️ Why You Should Secure SSH

Attackers regularly scan servers for open SSH ports (especially port 22) and attempt thousands of login combinations using bots.

Without protection, even the strongest password becomes vulnerable over time.

✅ What You’ll Need

  • A Linux server (AlmaLinux, CentOS, Ubuntu, etc.)
  • Root access (via SSH or console)
  • CSF installed and working
  • Optional: Fail2Ban installed (we’ll guide you)

Need a secure server?
👉 Get SSH-optimized VPS hosting at Servers9

🔐 Step 1: Change the Default SSH Port

Attackers love port 22. Changing it reduces automated attacks.

Edit your SSH config:

nano /etc/ssh/sshd_config

Find and change:

Port 2222

(Use any high number between 1025–65535)

Then restart SSH:

systemctl restart sshd

⚠️ Update your firewall and CSF to allow the new port.

🔧 Step 2: Whitelist Your IP in CSF

To avoid locking yourself out, add your IP:

csf -a your.public.ip.address

Then open the new SSH port in CSF:

nano /etc/csf/csf.conf

Update:

TCP_IN = "... ,2222"
TCP_OUT = "... ,2222"

Restart CSF:

csf -r

🔒 Step 3: Install Fail2Ban (If Not Already Installed)

Fail2Ban monitors log files and bans IPs with failed login attempts.

For CentOS/AlmaLinux/Rocky:

yum install epel-release -y
yum install fail2ban -y

For Ubuntu/Debian:

apt update
apt install fail2ban -y

⚙️ Step 4: Configure Fail2Ban for SSH Protection

Create or edit:

bashCopyEditnano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port    = 2222
logpath = /var/log/secure
maxretry = 5
bantime = 600
findtime = 600

Adjust port to match your custom SSH port.
Use /var/log/auth.log on Debian/Ubuntu.

Start and enable Fail2Ban:

bashCopyEditsystemctl enable fail2ban --now

Check status:

fail2ban-client status sshd

🧠 Bonus: Enable CSF’s LFD Brute-Force Protection

CSF already includes LFD (Login Failure Daemon) — enable SSH brute-force blocks in:

nano /etc/csf/csf.conf

Set:

LF_SSHD = "5"      # Number of SSH failures before blocking
LF_SSHD_PERM = "1" # Permanently block brute-force IPs

Restart CSF:

csf -r

🚨 Monitor & Maintain

  • View Fail2Ban bans: bashCopyEditfail2ban-client status sshd
  • Unban IP: bashCopyEditfail2ban-client set sshd unbanip 1.2.3.4
  • Monitor CSF logs: bashCopyEdittail -f /var/log/lfd.log

✅ Summary: Best Practices for SSH Security

  • ✅ Use a non-standard SSH port
  • ✅ Whitelist trusted IPs
  • ✅ Use Fail2Ban + CSF together
  • ✅ Disable root login if possible
  • ✅ Always use strong passwords or SSH keys

⚡ Need Expert Help?

Tired of dealing with brute-force attacks?

👉 Let Servers9 secure your server with CSF, Fail2Ban, and custom SSH hardening