How to protect SSH using fail2ban on Ubuntu 16.04

Introduction

SSH protocol provides opportunities for remote device management, but as any publicly accessible service, an SSH server is exposed to various attacks. One of such attacks is password-cracking.

This manual will consider a way to protect SSH from malicious use of fail2ban package.

The principle of fail2ban is quite simple: a special service scans the system logs to find a record of failed authentication attempts and under certain conditions blocks malicious IP-address using iptables.

Installation and settings

Run commands as root or via sudo.

Install fail2ban package:

apt-get install fail2ban

Turn on the automatic start of fail2ban service at the system start:

systemctl enable fail2ban

The fail2ban configuration file is located in the catalogue /etc/fail2ban/:

• fail2ban.conf – default settings for fail2ban service;

• fail2ban.d/*.* – custom settings for fail2ban service;

• jail.conf – default settings for protected services;

• jail.d/*.* – custom settings for protected services;

• filter.d/*.*  –  settings for search templates in system logs;

• action.d/*.* – settings for actions to be performed;

• paths*.conf – path settings for different operating systems.

To avoid overwriting when upgrading packages, it is necessary to create custom configuration files instead of editing files with default settings.

Delete the default settings for sshd protection:

cat /dev/null >/etc/fail2ban/jail.d/defaults-debian.conf

Create a file /etc/fail2ban/jail.d/sshd.conf with the following content:

Configuration file 

[sshd]
enabled = true
bantime = 600
findtime = 600
maxretry = 5

If the enabled parameter is true, then fail2ban service will block an IP-address for bantime seconds, if during the last findtime seconds there have been maxretry or more failed attempts of sshd authentication. After bantime seconds, the IP-address will be automatically unblocked.

Restart fail2ban:

systemctl restart fail2ban

Managing the black list

While using fail2ban it might be necessary to temporarily remove an IP ban or add an IP to the exceptions list.

Check if the IP you are looking for is on the black list:

fail2ban-client status sshd

Running this command will show the amount of failed authentication attempts and the list of banned IPs.

Running the command

Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	12
|  ̀ - File list:	/var/log/secure
̀ - Actions
   |- Currently banned:	1
   |- Total banned:	2
   ̀ - Banned IP list:	192.168.0.101

In this example, IP 192.168.0.101 needs to be unblocked. This can be done using the commands:

fail2ban-client set sshd addignoreip 192.168.0.101

fail2ban-client set sshd unbanip 192.168.0.101

The first command will add IP 192.168.0.101 to the exceptions list, and the second will unblock it.

If an IP is not added to the exceptions list, in case of further failed authentication attempts it will be blocked again.

Run the following command to see the exceptions list:

fail2ban-client get sshd ignoreip

Run the following command to delete an IP-address from the exceptions list:

fail2ban-client set sshd delignoreip 192.168.0.101

Removing IP ban permanently

The changes implemented using the fail2ban-client are temporary, and they will be reset after the service is restarted.

To make them permanent, some parameters are to be added to fail2ban configuration files.

To add IP192.168.0.101 to the exceptions list permanently, add the parameter ignoreip to the file  /etc/fail2ban/jail.d/sshd.conf:

Configuration file

[sshd]
enabled = true
bantime = 600
findtime = 600
maxretry = 5
ignoreip = 192.168.0.101

If you need to add several IP-addresses or networks, add a space between them.

Configuration file parameter

ignoreip = 192.168.0.101 10.0.0.0/24 127.0.0.1/8

Restart fail2ban:

systemctl restart fail2ban

Diagnostics

While running, fail2ban records diagnostic information in the system log.

Accessing the file

/var/log/fail2ban.log

Disabling

To disable fail2ban and unblock all IP-addresses, stop fail2ban service and disable its autorun:

systemctl stop fail2ban

systemctl disable fail2ban

Suggested Articles