Using Fail2Ban for SSH Brute-force Protection on your server.

Fail2Ban is a program in Python that helps protect Linux systems and servers from brute-force attacks. Fail2Ban can be set up to provide SSH protection for your server. This makes sure that your server is safe from attacks that use brute force. It also lets you see how strong the attacks are in terms of how many authentication attempts are being made.

Brute-force attacks can be powerful and may result in thousands of failed authentication attempts each day. Understanding how to safeguard your server against these attacks and how to block IP addresses is, therefore, essential. Fail2Ban makes it easier to block brute-force attacks by restricting the number of failed authentication attempts a user can make before being blocked. This is extremely useful for servers that have user accounts that utilize passwords for remote authentication, rather than SSH key-pair authentication.

First, update and upgrade your server to Ubuntu.

sudo apt update && sudo apt upgrade

Installing and Configure Fail2ban

Fail2Ban is completely free and works with most of the most popular software package managers.

  1. Please install Fail2Ban by running the following command. sudo apt-get install fail2ban
  2. To ensure that Fail2ban runs at system startup, please consider using the following command. sudo systemctl enable fail2ban.service

After the installation is complete, you will be able to start setting up Fail2Ban to create a jail for your SSH server. The configuration files for Fail2Ban are in the directory /etc/fail2ban.

Fail2Ban uses the default configuration in the jail.conf file. But it’s not recommended to use the default configuration files because they can be overwritten by new updates to the Fail2Ban package. The preferred approach to creating configurations for a particular service is by creating a new configuration file in the /etc/fail2ban directory with the .local extension.

A Fail2ban jail is a configuration file that contains filters or arguments that help protect your system or a particular service.

Creating SSH Jails With Fail2Ban

  1. Begin by creating a new file within the same directory called jail.local. You can then add the necessary security configurations for the sshd jail.sudo nano /etc/fail2ban/jail.local
  2. You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service. Fail2Ban Configuration Options:
ConfigurationsFunction
enabledJail status (true/false) — This enables or disables the jail
portPort specification
filterService specific filter (Log filter)
logpathWhat logs to use
maxretryNumber of attempts to make before a ban
findtimeAmount of time between failed login attempts
bantimeNumber of seconds an IP is banned for
ignoreipIP to be allowed

3. With the information in the table above, you can create the jail.local configuration for OpenSSH server (sshd). The values used in this guide example are listed in the sample file after you have entered the configuration options.

Note

You can customize the Fail2Ban configuration options and values as per your security requirements.

File: /etc/fail2ban/jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1

Note

You can disable a Fail2Ban jail by setting the enabled configuration to false.

4. After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command:sudo systemctl restart fail2ban.service

5. After restarting the OpenSSH server service, Fail2Ban uses this new configuration and the jail for the sshd service is activated and runs.

6. You can now test this functionality by re-enabling PasswordAuthentication in the OpenSSH Configuration file found in /etc/ssh/sshd_config. Do this by changing the value from no to yes using the text editor of your choice. Make sure these lines are uncommented.

File: /etc/ssh/sshd_config

PasswordAuthentication yes 
PermitEmptyPasswords no

This lets users use passwords instead of SSH key pairs for authentication. Fail2Ban automatically blocks users who try to use brute force on SSH. This significantly enhances the security of both password-based authentication and the server, and is advantageous for user accounts that do not possess administrator privileges.

How to Unban IP here instructions


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.