Fix SSH Authentication Failed Too Many Attempts

When you repeatedly fail SSH authentication, you might get locked out:

$ ssh user@server.example.com
Received disconnect from 192.168.1.100 port 22:2: Too many authentication failures
Disconnected from 192.168.1.100 port 22

Or you might see:

$ ssh user@server.example.com
ssh: connect to host 192.168.1.100 port 22: Connection refused

After too many failed attempts, security systems like fail2ban, hosts.deny, or sshd's internal limits can block your IP.

Understand the Block Sources

Several mechanisms can block you:

1. 1.SSHD MaxAuthTries - SSH daemon disconnects after too many auth failures
2. 2.fail2ban - External service that bans IPs after failed logins
3. 3.hosts.deny - TCP wrappers blocking connections
4. 4.Cloud firewalls - AWS Security Groups, Azure NSGs, etc.
5. 5.iptables/nftables - Kernel-level packet filtering

Check if You're Blocked by fail2ban

If you have console access to the server, check fail2ban status:

sudo fail2ban-client status sshd

Output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     15
|  `- File list:       /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.1.50

Your IP appears in the banned list. Unban it:

sudo fail2ban-client set sshd unbanip 192.168.1.50

Find your public IP:

curl -s ifconfig.me

Check fail2ban Logs

See why you were banned:

sudo tail -100 /var/log/fail2ban.log | grep 192.168.1.50

Or check auth.log:

sudo grep "Failed password" /var/log/auth.log | grep 192.168.1.50

Output:

Apr  3 10:15:22 server sshd[12345]: Failed password for user from 192.168.1.50 port 52341 ssh2
Apr  3 10:15:24 server sshd[12345]: Failed password for user from 192.168.1.50 port 52341 ssh2
Apr  3 10:15:26 server sshd[12345]: Failed password for user from 192.168.1.50 port 52341 ssh2

Adjust fail2ban Configuration

Prevent future blocks by adjusting thresholds in /etc/fail2ban/jail.local:

sudo nano /etc/fail2ban/jail.local

Add or modify:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600
ignoreip = 127.0.0.1/8 192.168.1.0/24

Key settings:

• maxretry - Number of failures before ban (default: 5)
• findtime - Time window in seconds (default: 600 = 10 minutes)
• bantime - Ban duration in seconds (default: 3600 = 1 hour)
• ignoreip - IPs/networks to never ban

Restart fail2ban:

sudo systemctl restart fail2ban

Check TCP Wrappers (hosts.deny)

Check if you're blocked by TCP wrappers:

cat /etc/hosts.deny

Look for lines like:

sshd: 192.168.1.50
ALL: ALL EXCEPT 10.0.0.0/8

Remove your IP:

sudo sed -i '/192.168.1.50/d' /etc/hosts.deny

Or add your IP to hosts.allow:

echo "sshd: 192.168.1.50" | sudo tee -a /etc/hosts.allow

Check SSHD MaxAuthTries

SSHD has its own limit for authentication attempts per connection. Check:

sudo grep MaxAuthTries /etc/ssh/sshd_config

Default is typically 6. If it's lower, you might hit it quickly:

MaxAuthTries 3

Increase it:

sudo sed -i 's/^MaxAuthTries.*/MaxAuthTries 6/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Too Many Keys Problem

If you have many SSH keys, SSH might try them all before your intended key, hitting MaxAuthTries:

ssh -v user@server.example.com 2>&1 | grep "Offering public key"

Output:

debug1: Offering public key: /home/user/.ssh/id_rsa
debug1: Offering public key: /home/user/.ssh/id_ed25519
debug1: Offering public key: /home/user/.ssh/github_key
debug1: Offering public key: /home/user/.ssh/aws_key
...

Specify the key explicitly:

ssh -i ~/.ssh/specific_key user@server.example.com

Or in ~/.ssh/config:

Host server.example.com
    IdentityFile ~/.ssh/specific_key
    IdentitiesOnly yes

The IdentitiesOnly yes directive prevents SSH from trying all your keys.

Check iptables Firewall

Check if iptables is blocking you:

sudo iptables -L INPUT -v -n | grep 192.168.1.50

Or check the SSH chain if it exists:

sudo iptables -L sshguard -v -n

Remove the block:

sudo iptables -D INPUT -s 192.168.1.50 -j DROP

For persistent rules, save and update your rules file:

sudo iptables-save > /etc/iptables/rules.v4

Check Cloud Security Groups

For cloud servers, check security group rules:

AWS: ``bash aws ec2 describe-security-groups --group-ids sg-xxxxxxxx

Ensure your IP is allowed on port 22.

Azure: ``bash az network nsg rule list --nsg-name MyNSG --resource-group MyRG

Google Cloud: ``bash gcloud compute firewall-rules list

Reset Your Attempts

Some systems use sshguard or similar tools:

```bash # Check if sshguard is running sudo systemctl status sshguard

# Check its blocked IPs sudo tail -f /var/log/auth.log | grep sshguard ```

Remove blocks:

sudo iptables -F sshguard

Use a Different IP

If you can't unblock yourself, connect through a different network:

```bash # Use a VPN sudo openvpn --config client.ovpn

# Use a jump host ssh -J jumphost user@server

# Use a mobile hotspot ```

Prevent Future Lockouts

Add your IP to the allow list permanently:

fail2ban ignoreip:

echo "ignoreip = 127.0.0.1/8 $(curl -s ifconfig.me)" | sudo tee -a /etc/fail2ban/jail.local
sudo systemctl restart fail2ban

hosts.allow:

echo "sshd: $(curl -s ifconfig.me)" | sudo tee -a /etc/hosts.allow

iptables whitelist:

sudo iptables -I INPUT -s $(curl -s ifconfig.me) -p tcp --dport 22 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Resolution Checklist

1. 1.Check fail2ban status: fail2ban-client status sshd
2. 2.Unban your IP: fail2ban-client set sshd unbanip YOUR_IP
3. 3.Check hosts.deny for your IP
4. 4.Verify sshd MaxAuthTries setting
5. 5.Use -i to specify key explicitly if you have many keys
6. 6.Check iptables for DROP rules
7. 7.Verify cloud security group rules
8. 8.Add your IP to ignore lists

Most authentication lockouts are caused by fail2ban or similar security tools. Use console access or a different IP to unblock yourself, then adjust the thresholds or whitelist your IP.