Article directory
Over 90% of VPS attacks are due to... SSH weak password brute-force attackIf you're still logging into the server with a password, it's as dangerous as leaving your house key hanging on the door.
In this article, I will guide you step-by step to completely escape the nightmare of brute-force password attacks. We will combine... VPS versus PuTTYsoftwareThis tutorial uses the most practical command-line tools to help you elevate your SSH security to the highest level.
Why use a key instead of a password?
No matter how complex a password is, it can still be cracked by brute force. Hackers can use tools to try tens of thousands of password combinations per second.
And 4096-bit RSA keyIn theory, it would take billions of years to crack. In comparison, a password is like a paper door, while a key is a steel gate.
Step 1: Generate SSH key
On Linux Alternatively, on macOS, you can directly generate a 4096-bit RSA key pair:
ssh-keygen -t rsa -b 4096
Press Enter to save the default path. /root/.ssh/id_rsa.
Enter a password (optional), or simply press Enter and leave it blank.
The system will generate two files:
- Private key:
id_rsa - Public key:
id_rsa.pub
This is your "lock" and "key".
Step 2: Configure the public key to the server
Place the public key in the VPS's licensed directory:
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Ensure the directory /root/.ssh/ presence.
In this way, the server will only recognize your public key and will no longer rely on the password.
Step 3: Modify the SSH configuration file
Edit the configuration file:
nano /etc/ssh/sshd_config
Modify the following parameters:
RSAAuthentication yes #RSA认证 PubkeyAuthentication yes #开启公钥验证 AuthorizedKeysFile .ssh/authorized_keys #验证文件路径 PasswordAuthentication no #禁止密码认证 PermitEmptyPasswords no #禁止空密码
This step is crucial: completely disable password login.
Step 4: Restart the SSH service
Make the configuration take effect immediately:
- CentOS7 :
systemctl restart sshd
- Ubuntu / Debian :
systemctl restart ssh
Service has been confirmed to be running:
systemctl status sshd
Step 5: Windows users convert the key using PuTTYGen.
If you are using Windows, you need to convert the private key to PuTTY format:
- turn on PuTTYGen
- Click Load load
id_rsa - Click Save private key Save as
.ppk - On PuTTY → Connection → SSH → Auth Select this
.ppkfile
This way, you can securely log in to your VPS using PuTTY.
Step 6: Verify and defend against brute-force attacks
Confirm configuration is in effect:
grep "Failed password" /var/log/auth.log
The logs will only show the attacker's failed attempts, not successful logins.
Further defense:
- Cooperate Fail2Ban Automatically block attacking IPs
- Change the default port (e.g., change it to 2222).
- Firewall only allows trusted IPs
These three techniques can completely thwart a hacker's efforts.
Final Thoughts
by Generate key → Configure public key → Modify sshd_config → Restart service → PuTTY to convert key These steps, your HestiaCP A VPS can completely eliminate the risk of password brute-force attacks.
The "Failed password" entries in those logs are merely futile attempts by attackers and do not indicate that password authentication is still enabled.
Conclusion: Security is the lifeline of a server.
In the world of information security, passwords are the most vulnerable link. Replacing passwords with keys is not just a technological choice, but also a reflection of responsibility and wisdom.
As stated in the "Information Security White Paper": "Security is not a cost, but a value."
So take action. Free your VPS from the shackles of passwords, and let hackers' brute-force attacks remain forever in the failed logs.
Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ The article "How to Solve SSH Brute-Force Attacks? A Practical Tutorial on Configuring VPS Key Authentication with HestiaCP," shared here, may be helpful to you.
Welcome to share the link of this article:https://www.chenweiliang.com/cwl-34161.html