Linux Security Incident Response Playbook (2026)

This playbook is for responding to security incidents on Linux systems, covering common attack vectors and remediation steps.

Incident: SSH Brute-Force Attack Detected

What Broke: An unauthenticated user repeatedly failed to log in via SSH, overwhelming the sshd daemon and potentially consuming system resources or masking other malicious activity.

Common Causes and Fixes:

1. Excessive Failed Logins: The most common cause is automated brute-force tools like Hydra or John the Ripper attempting to guess passwords.

   • Diagnosis: Check auth.log (or secure on RHEL/CentOS) for a high volume of "Failed password" or "Invalid user" messages from a single IP address or a range of IPs.

     sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head
     

   • Fix: Block the offending IP addresses at the firewall.

     sudo ufw deny from <offending_ip_address> to any
     # Or for iptables:
     sudo iptables -A INPUT -s <offending_ip_address> -j DROP
     

     This prevents further connection attempts from the attacker’s source IP, immediately stopping the brute-force.

2. Weak SSH Configuration: Default SSH configurations can be too permissive, allowing password authentication for many users.

   • Diagnosis: Review /etc/ssh/sshd_config. Look for PasswordAuthentication yes and PermitRootLogin yes.
   • Fix: Disable password authentication and disallow root login.

     sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
     sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
     sudo systemctl restart sshd
     

     This forces the use of SSH keys (more secure) and prevents direct root access, significantly hardening the system against brute-force attacks.

3. Unnecessary User Accounts: A large number of user accounts, especially those with weak passwords, increase the attack surface.

   • Diagnosis: List all user accounts.

     cut -d: -f1 /etc/passwd
     

     Identify accounts that are no longer needed or are default system accounts that might have been compromised.
   • Fix: Remove or disable unused user accounts.

     sudo userdel <username>
     # Or to disable temporarily:
     sudo usermod -L <username>
     

     Reducing the number of valid targets makes brute-force attempts less likely to succeed.

4. Compromised Credentials: An attacker may have obtained valid credentials through phishing or other means.

   • Diagnosis: If a legitimate user’s account shows brute-force activity, their credentials may be compromised. Check for successful logins from unusual IPs before the brute-force started.
   • Fix: Force a password reset for the affected user(s) and investigate how their credentials were leaked.

     sudo passwd <username>
     

     This immediately invalidates the compromised credential, stopping unauthorized access.

5. SSH Port Obfuscation (Security by Obscurity, but helps): Running SSH on a non-standard port can reduce the noise from automated scanners.

   • Diagnosis: Check the Port directive in /etc/ssh/sshd_config. It’s likely set to 22.
   • Fix: Change the SSH port to a high, unused port (e.g., 2222) and update firewall rules accordingly.

     sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
     sudo systemctl restart sshd
     # If using ufw:
     sudo ufw allow 2222/tcp
     sudo ufw delete allow 22/tcp
     

     This hides the SSH service from basic port scanners, reducing the volume of automated attacks.

6. Intrusion Detection/Prevention System (IDS/IPS) Misconfiguration: If you have an IDS/IPS, it might not be configured to detect or block SSH brute-force attempts effectively.

   • Diagnosis: Review the IDS/IPS logs and configuration for SSH-specific rules. Ensure it’s monitoring auth.log or similar and has rules for excessive failed logins.
   • Fix: Enable or tune SSH brute-force detection rules in your IDS/IPS. For example, in Fail2ban:

     sudo apt install fail2ban # or yum install fail2ban
     # Configure jail.local
     # [sshd]
     # enabled = true
     # port = ssh
     # filter = sshd
     # logpath = /var/log/auth.log
     # maxretry = 3
     # bantime = 3600
     sudo systemctl restart fail2ban
     

     Fail2ban monitors log files for specific patterns (like repeated failed logins) and automatically updates firewall rules to block offending IPs for a set duration.

The next error you’ll likely encounter after fixing SSH brute-force is a "Permission denied (publickey,password)." error if you haven’t configured SSH key authentication correctly for yourself.