Tag: fail2ban

  • Using Fail2Ban for SSH Brute-force Protection on your server.

    Fail2Ban is a Python program that helps safeguard Linux systems and servers from brute-force attacks. This program can be configured to provide SSH protection for your server. With it, you can be sure that your server is secure from attacks that employ brute force. It also enables you to see how strong the attacks are in terms of how many authentication attempts are being made.

    Brute-force attacks can be powerful and may result in thousands of failed authentication attempts each day. Understanding how to safeguard your server against these attacks and how to block IP addresses is essential.

    Fail2Ban makes it easier to block brute-force attacks by restricting the number of failed authentication attempts a user can make before being blocked.

    This is extremely useful for servers that have user accounts that utilize passwords for remote authentication, rather than SSH key-pair authentication.

    First, update and upgrade your server to Ubuntu.

    sudo apt update && sudo apt upgrade

    Installing and Configure Fail2ban

    Fail2Ban is completely free and works with most of the most popular software package managers.

    1. Please install Fail2Ban by running the following command:
    sudo apt-get install fail2ban

    2. Please use the following command to ensure that Fail2ban runs at system startup:

      sudo systemctl enable fail2ban.service

      3. After you have installed Fail2Ban, you can start setting up Fail2Ban to create a jail for your SSH server. The configuration files for Fail2Ban are in the directory /etc/fail2ban.

      Fail2Ban uses the default configuration in the jail.conf file, but it’s not recommended to use the default configuration files. This is because the default configuration files can be overwritten by new updates to the Fail2Ban package. The preferred approach to creating configurations for a particular service is by creating a new configuration file in the /etc/fail2ban directory with the .local extension. For example :

      path is /etc/fail2ban/jail.local

      Creating SSH Jails With Fail2Ban

      1. Begin by creating a new file within the same directory called jail.local. You can then add the necessary security configurations for the sshd jail.
      sudo nano /etc/fail2ban/jail.local

      2. You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service. Fail2Ban Configuration Options:

      ConfigurationsFunction
      enabledJail status (true/false) — This enables or disables the jail
      portPort specification
      filterService specific filter (Log filter)
      logpathWhat logs to use
      maxretryNumber of attempts to make before a ban
      findtimeAmount of time between failed login attempts
      bantimeNumber of seconds an IP is banned for
      ignoreipIP to be allowed

      3. With the information in the table above, you can create the jail.local configuration for OpenSSH server (sshd). The values used in this guide example are listed in the sample file after you have entered the configuration options and I created file: /etc/fail2ban/jail.local and configured it for SSH ban if wrong Password 3 times.

      [sshd]
      enabled = true
      port = ssh
      filter = sshd
      logpath = /var/log/auth.log
      maxretry = 3
      findtime = 300
      bantime = 3600
      ignoreip = 127.0.0.1

      4. After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command:

      sudo systemctl restart fail2ban.service

      5. After you restart the OpenSSH server service, Fail2Ban uses this new configuration, and the jail for the sshd service is activated and runs.

      How to Unban IP here instructions

    1. Fail2ban – how to unbanip on your sshd

      IP address unban

      Fail2Ban is an intrusion prevention system that protects computer servers from brute-force attacks. It can monitor specific logs and block IP addresses that act like brute-force attacks.

      Fail2Ban particularly monitors the number of connection attempts. After 5 failed SSH connection attempts, Fail2Ban will ban the IP address from connecting via SSH for 10 minutes. If this address fails several times, it might be banned permanently until you contact admin@richardapplegate.io and explain why you are attacking my server.

      Unban an IP address

      To unblock an IP address, you must first access it from another IP (VPN) address or internet connection than the one that is blocked.

      Look at the Fail2Ban log to find out where the IP address was banned.jail

      sudo tail /var/log/fail2ban.log 
      2019-01-07 16:24:47 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
      2019-01-07 16:24:49 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
      2019-01-07 16:24:51 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
      2019-01-07 16:24:54 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
      2019-01-07 16:24:57 fail2ban.filter  [1837]: INFO    [sshd] Found 11.22.33.44 
      2019-01-07 16:24:57 fail2ban.actions [1837]: NOTICE  [sshd] Ban 11.22.33.44 
      2019-01-07 16:24:57 fail2ban.filter  [1837]: NOTICE  [recidive] Ban 11.22.33.44

      Here, the 11.22.33.44 IP address has been banned in the sshd and recidive jails.

      Then use the following commands to unban the IP address.

      sudo fail2ban-client set sshd unbanip 11.22.33.44
      sudo fail2ban-client set recidive unbanip 11.22.33.44