Most common are dictionary attacks against an SSH server. The attacker uses the fact that SSH servers usually offer their services on port 22 and that every Linux server has a root account. This can easily be mitigated by few simple steps.

  • Disable root login
  • Configure non-default port for SSH to listen on
  • Allow specific users only to log in on SSH
  • Disable root login

    vi /etc/ssh/sshd_config
    Change 
    #PermitRootLogin yes
    to 
    PermitRootLogin no
    systemctl restart sshd
    

    Configure non-default port for SSH to listen on

    vi /etc/ssh/sshd_config
    #Port 22
    Port 222
    systemctl restart sshd
    

    Note: if selinux is running you may need to make some adjustments

    semanage port -a -t ssh_port_t -p tcp 2022 
    

    Note: correct firewall port also must be open

    firewall-cmd --add-port=222/tcp --permanent
    

    Allow specific users only to log in on SSH

    vi /etc/ssh/sshd_config
    AllowUsers user1 user2 user3
    systemctl restart sshd
    

    Note: this is good option to restrict only specific users to be able to login it will overwrite PermitRootLogin option and will still allow to su as root.