How to Stop Brute‑Force SSH Attacks on Your Raspberry Pi

The author set up external access to a home Raspberry Pi for personal use and suddenly could not SSH in, suspecting the external IP was blocked. Checking /var/log/auth.log revealed numerous failed login attempts from various usernames and IPs, confirming a brute‑force attack that also caused a denial‑of‑service.

Log excerpts (images) show attempts with usernames such as chief , cxc , and repeated root logins, as well as attacks from multiple IP addresses, suggesting a distributed brute‑force effort.

Solution

Since the Pi does not need to provide services to the public, the author restricts SSH access to trusted IPs.

1. Configure /etc/hosts.allow and /etc/hosts.deny

Add a deny rule to block all SSH connections: sshd:ALL Then add an allow rule for the trusted IP: sshd:111.222.333.444 This instantly limits SSH access to the specified address, though the log will still record rejected attempts.

2. Use ufw to set black‑ and white‑lists

Enable the firewall: ufw enable Set default policies to allow outgoing traffic and deny incoming traffic (the current SSH session remains active):

ufw default allow outgoing
ufw default deny incoming

Allow the trusted IP to connect to port 22: ufw allow from 111.222.333.444 to any port 22 This approach blocks malicious traffic at the network layer, providing stronger protection than the hosts file method.

Additional note: the author’s external server also faced a SYN‑RECV flood on port 80, indicating a possible denial‑of‑service attack, and seeks further advice.