SSH protocol provides opportunities for remote device management, but as any publicly accessible service, an SSH server is exposed to various attacks. One of such attacks is password-cracking.
This manual will consider a way to protect SSH from malicious use of fail2ban package.
The principle of fail2ban is quite simple: a special service scans the system logs to find a record of failed authentication attempts and under certain conditions blocks malicious IP-address using iptables.
Installation and settings
Run commands as root or via sudo.
Install fail2ban package:
apt-get install fail2ban
Turn on the automatic start of fail2ban service at the system start:
systemctl enable fail2ban
The fail2ban configuration file is located in the catalogue /etc/fail2ban/:
fail2ban.conf – default settings for fail2ban service;
fail2ban.d/*.* – custom settings for fail2ban service;
jail.conf – default settings for protected services;
jail.d/*.* – custom settings for protected services;
filter.d/*.* – settings for search templates in system logs;
action.d/*.* – settings for actions to be performed;
paths*.conf – path settings for different operating systems.
To avoid overwriting when upgrading packages, it is necessary to create custom configuration files instead of editing files with default settings.
Delete the default settings for sshd protection:
cat /dev/null >/etc/fail2ban/jail.d/defaults-debian.conf
Create a file /etc/fail2ban/jail.d/sshd.conf with the following content:
[sshd] enabled = true bantime = 600 findtime = 600 maxretry = 5
If the enabled parameter is true, then fail2ban service will block an IP-address for bantime seconds, if during the last findtime seconds there have been maxretry or more failed attempts of sshd authentication. After bantime seconds, the IP-address will be automatically unblocked.
systemctl restart fail2ban
Managing the black list
While using fail2ban it might be necessary to temporarily remove an IP ban or add an IP to the exceptions list.
Check if the IP you are looking for is on the black list:
fail2ban-client status sshd
Running this command will show the amount of failed authentication attempts and the list of banned IPs.
Running the command
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 12 | ̀ - File list: /var/log/secure ̀ - Actions |- Currently banned: 1 |- Total banned: 2 ̀ - Banned IP list: 192.168.0.101
In this example, IP 192.168.0.101 needs to be unblocked. This can be done using the commands:
fail2ban-client set sshd addignoreip 192.168.0.101
fail2ban-client set sshd unbanip 192.168.0.101
The first command will add IP 192.168.0.101 to the exceptions list, and the second will unblock it.
If an IP is not added to the exceptions list, in case of further failed authentication attempts it will be blocked again.
Run the following command to see the exceptions list:
fail2ban-client get sshd ignoreip
Run the following command to delete an IP-address from the exceptions list:
fail2ban-client set sshd delignoreip 192.168.0.101
Removing IP ban permanently
The changes implemented using the fail2ban-client are temporary, and they will be reset after the service is restarted.
To make them permanent, some parameters are to be added to fail2ban configuration files.
To add IP192.168.0.101 to the exceptions list permanently, add the parameter ignoreip to the file /etc/fail2ban/jail.d/sshd.conf:
[sshd] enabled = true bantime = 600 findtime = 600 maxretry = 5 ignoreip = 192.168.0.101
If you need to add several IP-addresses or networks, add a space between them.
Configuration file parameter
ignoreip = 192.168.0.101 10.0.0.0/24 127.0.0.1/8
systemctl restart fail2ban
While running, fail2ban records diagnostic information in the system log.
Accessing the file
To disable fail2ban and unblock all IP-addresses, stop fail2ban service and disable its autorun:
systemctl stop fail2ban
systemctl disable fail2ban