Jens Segers on Apr 24 2016

Protect your server with fail2ban

Fail2ban is a must-have for every SSH-enabled server that is connected to the internet. It protects services such as SSH from illegitimate access.

The first thing I do on every server is set up the firewall so that all ports except for the SSH port are blocked from incoming requests. But with the SSH port unprotected, you still want it to be protected from illegitimate access, right? This is where fail2ban comes in. Fail2ban will automatically ban IPs that show the malicious signs such as too many password failures, seeking for exploits, etc.

You can install fail2ban from the Debian or Ubuntu repositories:

> sudo apt-get update
> sudo apt-get install fail2ban

Once installed, you only need to modify a couple of settings. The default settings are located in /etc/fail2ban/jail.conf. However, it is recommended that you do not modify this file directly, but that you create a jail.local copy instead:

> cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

In your jail.local file you can modify some of the general settings under the default section. These settings apply to all fail2ban "jails".

[DEFAULT]
ignoreip  = 127.0.0.1/8
bantime   = 86400
maxretry  = 3
destemail = your@email.com
action    = %(action_mwl)s

Most of these settings should be self-explanatory, or are explained within the configuration file. The biggest change here is the action one, which configures fail2ban to send report emails to destemail with whois information of the attacker.

Next you will want to enable the SSH jail by setting the enabled setting to true:

[ssh]
enabled  = true
port     = 22
filter   = sshd
logpath  = /var/log/auth.log

Restart your fail2ban to load your changes:

> sudo service fail2ban restart

You can check the current status of any configured jail using this command. Note that it might take a while for anything to happen depending on how often your server is "attacked".

> fail2ban-client status ssh

Status for the jail: ssh
|- filter
|  |- File list:    /var/log/auth.log 
|  |- Currently failed: 0
|  `- Total failed: 9171
`- action
   |- Currently banned: 1
   |  `- IP list:   31.197.115.250 
   `- Total banned: 404

And that should be it. Hopefully, you feel a bit more protected with fail2ban. If you further want to improve your security you could change the default SSH port to something different than 22, as most automated scripts will try to attack your server on the default SSH port. Also make sure password authentication is disabled for the root account.

Graphic by Patrick Chew


Comments