Fail2ban is a must-have for every SSH-enabled server that is connected to the internet. It protects services such as SSH from illegitimate access.
The first thing I do on every server is set up the firewall so that all ports except for the SSH port are blocked from incoming requests. But with the SSH port unprotected, you still want it to be protected from illegitimate access, right? This is where fail2ban comes in. Fail2ban will automatically ban IPs that show the malicious signs such as too many password failures, seeking for exploits, etc.
You can install fail2ban from the Debian or Ubuntu repositories:
> sudo apt-get update > sudo apt-get install fail2ban
Once installed, you only need to modify a couple of settings. The default settings are located in
/etc/fail2ban/jail.conf. However, it is recommended that you do not modify this file directly, but that you create a
jail.local copy instead:
> cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
jail.local file you can modify some of the general settings under the default section. These settings apply to all fail2ban "jails".
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 86400 maxretry = 3 destemail = [email protected] action = %(action_mwl)s
Most of these settings should be self-explanatory, or are explained within the configuration file. The biggest change here is the
action one, which configures fail2ban to send report emails to
destemail with whois information of the attacker.
Next you will want to enable the SSH jail by setting the
enabled setting to
[ssh] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log
Restart your fail2ban to load your changes:
> sudo service fail2ban restart
You can check the current status of any configured jail using this command. Note that it might take a while for anything to happen depending on how often your server is "attacked".
> fail2ban-client status ssh Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 0 | `- Total failed: 9171 `- action |- Currently banned: 1 | `- IP list: 18.104.22.168 `- Total banned: 404
And that should be it. Hopefully, you feel a bit more protected with fail2ban. If you further want to improve your security you could change the default SSH port to something different than 22, as most automated scripts will try to attack your server on the default SSH port. Also make sure password authentication is disabled for the root account.
Graphic by Patrick Chew