How To Secure Virtual Private Server Deployments Against AI Brute Force Attacks?
Your VPS is under attack right now. That is not an exaggeration. Brute force attacks account for 60% of web application breaches in 2025, according to the Verizon Data Breach Investigations Report.
A campaign tracked by the Shadowserver Foundation used 2.8 million IP addresses daily to target VPN and server login portals. The GoBruteforcer botnet, discovered in its latest variant in 2025, now uses AI generated credential lists to target over 50,000 Linux servers worldwide.
A modern GPU cluster can test hundreds of billions of MD5 hash combinations per second. AI tools trained on leaked password databases can predict human password patterns and match 47% of real world passwords without brute forcing every combination.
The good news? You can stop these attacks with the right defenses. This guide walks you through practical, actionable steps to lock down your VPS against AI powered brute force attempts. Every section gives you specific commands, configurations, and strategies you can apply today.
In A Nutshell
- AI brute force attacks use machine learning and GPU acceleration to guess passwords far faster than traditional methods. PassGAN and similar tools learn real world password patterns from leaked databases, cutting the time needed to crack credentials from days to minutes.
- SSH key authentication is your strongest single defense. Disabling password based SSH login eliminates the primary attack surface that brute force tools target. A 4096 bit RSA key cannot be guessed by any current brute force method.
- Layered security is essential because no single tool stops every attack. Combine firewalls, intrusion detection, rate limiting, two factor authentication, and log monitoring to create overlapping defenses. Each layer covers gaps in the others.
- CrowdSec and Fail2Ban provide automated IP blocking, but CrowdSec adds a community intelligence layer that shares threat data across thousands of servers. In real world tests, CrowdSec blocked over 1,800 unique IPs compared to Fail2Ban’s 342 on similar setups.
- Regular updates and kernel hardening reduce the attack surface that AI tools can exploit. Unpatched software and default configurations are the primary entry points for botnets like GoBruteforcer.
- Monitoring and alerting give you early warning of attack attempts. Failed login spikes, impossible travel events, and unusual user agent strings are clear indicators of automated brute force activity.
Understanding How AI Brute Force Attacks Target VPS Servers
AI brute force attacks differ from traditional brute force in a critical way. Traditional attacks try every possible password combination in sequence. AI powered attacks learn from leaked password databases and predict the most likely passwords first.
Tools like PassGAN use generative adversarial networks trained on millions of real passwords from data breaches. They generate password guesses that match human behavior patterns. Instead of trying “aaa, aab, aac” in order, an AI tool might try “Summer2026!, Admin@123, Company2025” because it learned these patterns from real user data.
The GoBruteforcer botnet, analyzed by Check Point Research in early 2026, demonstrates this shift clearly. It uses credential lists that include AI generated default usernames like “appuser” and “myuser” that large language models commonly suggest in server setup tutorials. The botnet targets FTP, MySQL, PostgreSQL, and phpMyAdmin services across the internet.
According to IBM and Ponemon breach research, 16% of all breaches now involve attackers using AI. The combination of AI prediction, GPU acceleration, and distributed botnets makes every internet facing VPS a potential target. Understanding this threat model is the first step in building effective defenses.
Disabling Password Based SSH Authentication
Password based SSH login is the number one attack vector for brute force tools targeting VPS servers. Every password based login attempt gives attackers a chance to succeed. Removing this option entirely eliminates the risk.
Start by generating an SSH key pair on your local machine. Run ssh-keygen -t ed25519 -C "your_email@example.com" to create a strong key pair. The Ed25519 algorithm provides excellent security with faster performance than RSA. Copy your public key to the server using ssh-copy-id user@your_server_ip.
Once your key is on the server, edit the SSH configuration file at /etc/ssh/sshd_config. Set these values: PasswordAuthentication no, PubkeyAuthentication yes, and ChallengeResponseAuthentication no. Restart the SSH service with sudo systemctl restart sshd.
Test your key based login in a separate terminal before closing your current session. This prevents accidental lockout. With password authentication disabled, brute force tools will receive a “permission denied” response for every attempt, regardless of the password they try.
This single change makes your server virtually immune to traditional brute force attacks on the SSH service. No password means no password to guess. AI prediction tools become useless against cryptographic key pairs.
Hardening SSH Configuration For Maximum Security
Beyond disabling passwords, several SSH settings significantly reduce your attack surface. Open /etc/ssh/sshd_config and apply these changes for a hardened configuration.
Set PermitRootLogin no to prevent direct root login. Attackers always try root first because it gives complete server control. Force all users to log in with regular accounts and use sudo for administrative tasks. This adds an extra barrier even if someone compromises a user account.
Change the default SSH port from 22 to a high numbered port like 48221. While this is not a security measure on its own, it eliminates the vast majority of automated scans. The GoBruteforcer botnet and similar tools target default ports exclusively in their spray campaigns. A non standard port removes your server from those automated sweeps.
Set MaxAuthTries 3 to limit authentication attempts per connection. Set LoginGraceTime 30 to close idle connections after 30 seconds. Add AllowUsers your_username to restrict SSH access to specific accounts only.
Enable only strong ciphers and key exchange algorithms. Add these lines to your config: KexAlgorithms curve25519-sha256 and Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com. These settings reject weak encryption that could be downgraded by sophisticated attackers.
Configuring Firewalls With Rate Limiting Rules
A properly configured firewall is your server’s first line of defense against brute force attacks. UFW (Uncomplicated Firewall) provides a simple interface for setting up rate limiting on Ubuntu and Debian systems.
Install UFW with sudo apt install ufw. Set default policies with sudo ufw default deny incoming and sudo ufw default allow outgoing. This blocks all incoming traffic except what you explicitly allow.
Enable rate limiting on your SSH port with sudo ufw limit 48221/tcp (replace 48221 with your actual SSH port). UFW will deny connections if an IP address attempts 6 or more connections in 30 seconds. This stops rapid automated login attempts while allowing normal human access.
For more granular control, use iptables directly. Create a rule that limits new SSH connections to 3 per minute per IP address:
sudo iptables -A INPUT -p tcp --dport 48221 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 48221 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Open only the ports your applications actually need. A web server typically needs ports 80 and 443. A database should never be exposed to the public internet. The fewer open ports you have, the smaller your attack surface becomes. The GoBruteforcer botnet specifically scans for exposed MySQL (port 3306), PostgreSQL (port 5432), and FTP (port 21) services.
Installing And Configuring Fail2Ban For Automated Protection
Fail2Ban monitors your server’s log files and automatically bans IP addresses that show signs of brute force activity. It is one of the most effective tools for stopping repeated login attempts.
Install Fail2Ban with sudo apt install fail2ban. Create a local configuration file at /etc/fail2ban/jail.local to override the defaults. This file survives updates while the main configuration file gets overwritten.
Configure the SSH jail with these settings: bantime = 3600 (ban for one hour), findtime = 600 (look at the last 10 minutes), maxretry = 3 (ban after 3 failed attempts). For repeat offenders, increase the ban time progressively. Set bantime.increment = true and bantime.factor = 2 to double the ban duration each time an IP gets banned again.
Add jails for other services you run. If you host a web application, create jails for Apache or Nginx authentication failures. If you run a mail server, add jails for SMTP and IMAP brute force attempts. Each jail monitors specific log files and applies bans based on your defined thresholds.
Whitelist your own IP addresses to prevent accidental lockout. Add your IPs to the ignoreip line in your jail configuration. Start and enable Fail2Ban with sudo systemctl enable fail2ban and sudo systemctl start fail2ban. Check banned IPs anytime with sudo fail2ban-client status sshd.
Deploying CrowdSec For Community Powered Threat Intelligence
CrowdSec takes automated protection a step further by adding collective intelligence. While Fail2Ban protects your server based on local activity alone, CrowdSec shares threat data across its entire user network.
In a real world comparison shared on community forums, a Fail2Ban protected server blocked 342 unique IPs while a CrowdSec protected server blocked 1,847 unique IPs during the same period. The difference comes from CrowdSec’s community blocklist, which contains 15,000 active malicious IP addresses identified across the network.
Install CrowdSec from its official repository. The security engine analyzes your logs and detects attack patterns using “scenarios” that define suspicious behavior. The “bouncer” component then enforces decisions by blocking malicious IPs at the firewall level.
CrowdSec excels against distributed AI brute force attacks where attackers use thousands of different IP addresses. A botnet using 2.8 million IPs would slip past Fail2Ban because each IP might only attempt one or two logins. CrowdSec recognizes these IPs from attacks on other servers and blocks them before they even reach your login prompt.
Configure CrowdSec to work alongside your existing firewall. The iptables bouncer or nftables bouncer integrates directly with your firewall rules. Enable the community blocklist to receive automatic protection from threats detected across the global network. This proactive defense model is especially valuable against AI coordinated attacks.
Setting Up Two Factor Authentication For SSH Access
Two factor authentication adds a second verification step that brute force tools cannot bypass. Even if an attacker somehow obtains your SSH key, they still need a time based code from your authenticator app.
Install the Google Authenticator PAM module with sudo apt install libpam-google-authenticator. Run google-authenticator as the user who needs 2FA enabled. Answer “yes” to time based tokens and scan the QR code with your authenticator app (Google Authenticator, Authy, or any TOTP app).
Edit /etc/pam.d/sshd and add the line auth required pam_google_authenticator.so at the top. Then edit /etc/ssh/sshd_config and set AuthenticationMethods publickey,keyboard-interactive. Also set KbdInteractiveAuthentication yes. Restart SSH with sudo systemctl restart sshd.
This configuration requires both a valid SSH key and a TOTP code for every login. The TOTP code changes every 30 seconds, making it impossible for automated tools to predict or replay.
Save your emergency scratch codes in a secure location. These one time codes let you regain access if you lose your authenticator device. With 2FA enabled, your VPS requires something you have (the SSH key), something you know (the key passphrase), and something that changes (the TOTP code). This triple layer of authentication defeats every known brute force method.
Implementing Port Knocking To Hide Services
Port knocking is a stealth technique that keeps your SSH port completely invisible until you send a specific sequence of connection attempts to other ports. Think of it as a secret handshake your server must receive before it opens the door.
Install knockd with sudo apt install knockd. Edit the configuration file at /etc/knockd.conf. Define a sequence of ports that must be “knocked” in order. For example, configure a sequence of ports 7000, 8000, 9000 that must be hit within 15 seconds.
When the correct sequence is received, knockd runs an iptables command that opens the SSH port for the requesting IP address only. After a timeout period, the port closes again automatically. An attacker scanning your server sees no SSH port at all.
Configure the open and close sequences differently. Your open sequence might be ports 7000, 8000, 9000, while the close sequence is 9000, 8000, 7000. Set a reasonable timeout so the port closes after 30 seconds of inactivity.
Port knocking is especially effective against AI brute force tools because they cannot attack a port they cannot find. The GoBruteforcer botnet scans for open services on default ports. A server using port knocking shows no open SSH port during these scans, making it completely invisible to automated attacks.
Use a port knocking client on your local machine or a simple script with knock commands to automate the sequence before connecting.
Deploying Intrusion Detection With Wazuh Or OSSEC
An intrusion detection system (IDS) gives you deep visibility into everything happening on your server. While Fail2Ban and CrowdSec handle automated blocking, an IDS provides comprehensive monitoring, alerting, and forensic analysis.
Wazuh is an open source security platform that combines SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities. Install the Wazuh agent on your VPS and connect it to a Wazuh server (which can run on a separate VPS or on premises).
Wazuh monitors file integrity, detects rootkits, analyzes logs in real time, and alerts you to suspicious patterns that simpler tools miss. It can identify low and slow brute force attacks where an attacker sends only one or two attempts per hour from each IP address, staying below Fail2Ban’s detection threshold.
Configure Wazuh to monitor your SSH logs, web server logs, and system authentication logs. Set up active response rules that automatically block IPs exhibiting brute force behavior. Create custom rules for your specific applications.
Enable file integrity monitoring to detect unauthorized changes to critical files like /etc/passwd, /etc/shadow, and SSH configuration files. If an attacker somehow gains access, any modification to these files triggers an immediate alert. Wazuh’s built in compliance checking also verifies your server meets security benchmarks like CIS (Center for Internet Security) standards.
Hardening The Linux Kernel With Sysctl Parameters
Kernel level hardening adds protection at the operating system’s core that application level tools cannot provide. Sysctl parameters control how the Linux kernel handles network traffic, memory, and system calls.
Edit /etc/sysctl.conf or create a new file in /etc/sysctl.d/ to add hardening parameters. Start with network protections: set net.ipv4.tcp_syncookies = 1 to protect against SYN flood attacks. Set net.ipv4.conf.all.rp_filter = 1 to enable reverse path filtering, which drops packets with spoofed source addresses.
Disable ICMP redirects with net.ipv4.conf.all.accept_redirects = 0 and net.ipv4.conf.all.send_redirects = 0. These settings prevent attackers from redirecting your server’s traffic through malicious routes.
Enable net.ipv4.conf.all.log_martians = 1 to log packets with impossible source addresses. Set net.ipv4.tcp_max_syn_backlog = 2048 to handle SYN flood attempts more gracefully. Disable IP source routing with net.ipv4.conf.all.accept_source_route = 0.
Apply the changes immediately with sudo sysctl -p. Enable mandatory access control with SELinux or AppArmor depending on your distribution. These frameworks restrict what each process can do, limiting the damage even if an attacker gains access through a compromised service.
Install and enable automatic security updates with unattended-upgrades on Debian/Ubuntu or dnf-automatic on Fedora/RHEL. The GoBruteforcer botnet specifically targets servers running outdated software with known vulnerabilities.
Monitoring Logs And Setting Up Real Time Alerts
Effective monitoring turns your server’s log files into an early warning system that catches attacks before they succeed. Every brute force attempt leaves traces in your logs, and automated monitoring ensures you never miss them.
Configure centralized log management. Your primary files are /var/log/auth.log (or /var/log/secure on RHEL based systems) for authentication events, /var/log/syslog for system events, and your web server’s access and error logs. Use logrotate to manage file sizes and retain logs for at least 90 days.
Set up real time alerting for specific events. A spike in failed SSH login attempts is the most obvious indicator of a brute force attack. Watch for patterns like 50 or more failed attempts within 5 minutes from a single IP or subnet. Monitor for “impossible travel” events where the same account attempts login from two distant geographic locations within minutes.
Use tools like logwatch or GoAccess to generate daily summary reports of authentication activity. Configure email or webhook alerts for critical events. If you use Wazuh, its built in alerting sends notifications through email, Slack, or custom integrations.
Pay special attention to unusual user agent strings and missing HTTP headers in web server logs. AI brute force tools often send requests with generic or empty user agent fields. Monitoring for these patterns helps you identify automated attacks targeting web based login pages.
Create a baseline of normal activity for your server. Once you know what normal looks like, anomalies become immediately visible.
Keeping Software Updated And Reducing Attack Surface
Outdated software is the easiest entry point for AI powered attacks. Google’s 2024 Cloud Threat Horizons report found that weak or missing credentials accounted for 47.2% of initial access vectors in compromised cloud environments. Unpatched software vulnerabilities made up much of the rest.
Run system updates regularly with sudo apt update && sudo apt upgrade on Debian/Ubuntu systems. Enable automatic security updates for critical packages. The unattended-upgrades package handles this on Debian based systems and can be configured to install security patches daily without manual intervention.
Remove software you do not use. Every installed package is a potential vulnerability. If you do not need FTP, remove the FTP server. If you do not use PHP, uninstall it. The GoBruteforcer botnet specifically targets XAMPP installations that ship with default FTP credentials and exposed phpMyAdmin panels.
Audit your installed packages quarterly. Run dpkg --list to see everything installed on your system. Remove unnecessary services, disable unused network daemons, and close ports for services that do not need internet exposure.
Review your server’s exposure with tools like Lynis (sudo lynis audit system). This open source security auditing tool scans your system and provides specific hardening recommendations. It checks for weak permissions, unnecessary services, and missing security configurations. Address every finding rated as a warning or critical.
Creating A Comprehensive VPS Security Checklist
A security checklist ensures you apply every protection consistently across all your VPS deployments. Use this as a reference each time you set up a new server or audit an existing one.
Authentication hardening covers disabling password SSH login, enabling SSH key authentication with Ed25519 or RSA 4096 bit keys, enabling two factor authentication, changing the default SSH port, disabling root login, and setting maximum authentication attempts to 3.
Firewall configuration includes setting default deny for incoming traffic, enabling rate limiting on SSH and web ports, opening only the ports your applications need, and blocking access from known malicious IP ranges using CrowdSec’s community blocklist.
Automated protection means installing and configuring Fail2Ban with progressive ban times, deploying CrowdSec with the iptables or nftables bouncer, setting up Wazuh or OSSEC for intrusion detection, and enabling file integrity monitoring for critical system files.
System hardening requires applying sysctl kernel parameters, enabling SELinux or AppArmor, configuring automatic security updates, removing unnecessary software packages, and disabling unused network services.
Monitoring and maintenance involves reviewing authentication logs daily, setting up real time alerts for failed login spikes, auditing installed packages quarterly, testing your security configuration monthly, and maintaining current backups that are stored separately from the VPS. A backup is your last line of defense if all other protections fail.
Responding To A Detected Brute Force Attack
When your monitoring tools detect an active brute force attack, a fast and structured response minimizes potential damage. Have a response plan ready before you need it.
Immediate actions include verifying the attack through your logs. Check /var/log/auth.log for the source IP addresses and the usernames being targeted. If Fail2Ban or CrowdSec have not already blocked the attacking IPs, add them to your firewall’s block list manually with sudo ufw deny from attacker_ip.
If the attack involves a large number of distributed IPs, consider temporarily restricting SSH access to only your known IP addresses. Add AllowUsers your_username@your_ip to your SSH configuration. This stops the attack immediately while you assess the situation.
Check for signs of successful compromise. Look for unexpected new user accounts, modified SSH authorized keys files, unusual cron jobs, or unfamiliar running processes. Run last and lastb to review successful and failed login history. Check ps aux for processes running under unexpected user accounts.
If you find evidence of compromise, isolate the server immediately. Disconnect it from the network if possible. Do not shut it down, as this destroys volatile memory evidence. Contact your hosting provider’s abuse team and report the attacking IP addresses.
After the incident, review and strengthen your defenses. Every attack is an opportunity to identify gaps in your security. Update your checklist and apply any missing protections to all your servers.
Frequently Asked Questions
Can AI brute force attacks crack SSH key authentication?
No. SSH key authentication uses cryptographic key pairs that are mathematically impossible to guess with current computing technology. A 4096 bit RSA key or an Ed25519 key has a key space so large that even the most advanced AI tools and GPU clusters cannot enumerate it. AI brute force tools are effective against passwords because humans create predictable patterns. Cryptographic keys contain no human patterns to exploit.
How many login attempts should trigger a ban in Fail2Ban?
Set your maxretry value to 3 for SSH connections. A legitimate user rarely fails authentication three times in a row with key based login. For web application login pages, you might allow 5 attempts since users sometimes mistype passwords. Always pair the retry limit with a findtime window of 600 seconds (10 minutes) and a minimum bantime of 3600 seconds (1 hour) with progressive increases for repeat offenders.
Is changing the default SSH port actually useful for security?
Changing the SSH port is not a security measure by itself, but it significantly reduces noise from automated scans. The vast majority of brute force bots, including GoBruteforcer, only target default port 22. Moving to a high numbered port eliminates these automated scans and lets your Fail2Ban and CrowdSec resources focus on targeted attacks instead of deflecting generic bot traffic.
What is the difference between Fail2Ban and CrowdSec?
Fail2Ban monitors local logs and bans IPs based on your server’s own experience. CrowdSec does the same but adds a community intelligence layer that shares threat information across thousands of servers worldwide. CrowdSec can block an IP that attacked another server before it ever reaches yours. For best results, run both tools together since they complement each other well.
How often should I review my VPS security configuration?
Perform a full security audit monthly and review authentication logs daily. Run automated scanning tools like Lynis quarterly. Apply security updates within 24 hours of release for critical vulnerabilities. After any major software installation or configuration change, recheck your firewall rules and service exposure. Treat security as an ongoing process rather than a one time setup task.
Does two factor authentication slow down SSH connections significantly?
No. The additional time required to enter a TOTP code is approximately 5 to 10 seconds per login. This minor delay provides enormous security benefits. Automated brute force tools cannot generate valid TOTP codes because the codes change every 30 seconds and require access to your authenticator app’s secret key. The slight inconvenience is a small price for making your server immune to credential based attacks.
Hi, I’m Hana! I’m a tech lover who geeks out over software, gadgets, and all things digital. I started UniConverterBox to help everyday people navigate the overwhelming world of tech with honest reviews, clear comparisons, and simple guides. Got questions? I’m always happy to help!
