SSH Fail2Ban Setup
Fail2Ban is a log based intrusion prevention system that can be utilized to reduce some brute force attacks against the SSH daemon. If Fail2Ban sees a specific number of failed access attempts from a single IP within a time-frame, it will modify the iptables firewall to ban (REJECT) that IP for a defined amount of time.
| Note |
| Dynamically blocking IP’s in this manner may not be very effective against a botnet since the IP address can be frequently rotated. |
For most distributions the sshd jail comes pre-enabled with Fail2Ban. However If you moved the SSH listening port as detailed in the "Hardening SSH configuration" guide, then you will have to modify the sshd jail regardless. This way Fail2Ban knows which port to instruct iptables to restrict for future brute forcing baddies.
Let's open the jail.local file. If the file doesn't exist, then it's okay to create a new one.
vi /etc/fail2ban/jail.local
Append the following to the file (assuming that you moved the SSH listening port to “2222.”)
[sshd]
enabled = true
port = 2222
Save your configuration and restart the fail2ban daemon.
systemctl restart fail2ban
You can verify that the sshd jail is enabled with the fail2ban-client command-line utility.
fail2ban-client status
Example output:
Status
|- Number of jail: 3
`- Jail list: sshd
You can also display additional details, such as banned IP's by specifying the sshd jail.
fail2ban-client status sshd
For more information on Fail2Ban I recommend checking out fail2ban.org as well as their manual for a better understanding of the above configurations.[1]
Notes
To unban an IP address from Fail2Ban, you can run the following command:
fail2ban-client set sshd unbanip 192.168.0.1
The Fail2ban log can be located in "/var/log/fail2ban.log". You can live monitor the log from a terminal with tail:
tail -F /var/log/fail2ban.log
References
1. https://www.fail2ban.org/wiki/index.php/MANUAL_0_8
[Return to top]