Open in app

Sign in

Write

Sign in

Enhancing Server Security: Configuring Fail2ban to Combat SSH Attacks

Bill Liu
3 min readAug 17, 2024

--

In today’s digital landscape, server security is paramount. One powerful tool in our arsenal is Fail2ban, which can significantly bolster your server’s defenses against SSH attacks. This guide will walk you through the installation and configuration of Fail2ban on Ubuntu, with a focus on protecting SSH access.

## Installing Fail2ban on Ubuntu

Before we dive into configuration, let’s install Fail2ban:

1. Update your package list:
```
sudo apt update
```

2. Install Fail2ban:
```
sudo apt install fail2ban
```

3. Once installed, Fail2ban will start automatically. You can verify its status with:
```
sudo systemctl status fail2ban
```

## Configuring Fail2ban

Fail2ban works by scanning log files (like `/var/log/auth.log`) for patterns that indicate malicious activity. When it detects such patterns, it can automatically “jail” (ban) the offending IP addresses.

### Basic Configuration

1. Create a local configuration file:
```
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
```
The `jail.local` file will override settings in `jail.conf`, allowing for safer customization.

2. Edit `jail.local`:
```
sudo nano /etc/fail2ban/jail.local
```

3. In the `[DEFAULT]` section, add or modify these lines:
```
[DEFAULT]
bantime = 30d
ignoreip = 127.0.0.1/8 ::1 10.0.0.0/24 xxx.xxx.xxx.xxx
findtime = 1d
maxretry = 3
```
This configuration bans IPs for 30 days if they fail to login 3 times within 1 day, while ignoring specified IP ranges.

### SSH-specific Jails

Now, let’s set up two jails for SSH:

1. Standard SSH jail:
```
[sshd]
enabled = true
mode = aggressive
port = 22,20000
banaction = iptables-multiport
action = %(action_)s
%(action_abuseipdb)s[abuseipdb_apikey=”YOUR_API_KEY”, abuseipdb_category=”22"]
```

2. Custom SSH jail with more stringent rules:
```
[sshd-more]
enabled = true
port = 22,20000
filter = sshd-more
maxretry = 1
action = %(action_)s
%(action_abuseipdb)s[abuseipdb_apikey=”YOUR_API_KEY”, abuseipdb_category=”18,22"]
```

These jails monitor both standard (22) and custom (20000) SSH ports. When triggered, they ban the IP using iptables and report to AbuseIPDB.

### Custom Filter Configuration

For the `sshd-more` jail, we use a custom filter. Create a file at `/etc/fail2ban/filter.d/sshd-more.conf` with the following content:


[Definition]
failregex = Invalid user \s*(?!user1\b)(?!user2\b)[^\s]* from <HOST> port \d+
 Disconnecting invalid user \s*(?!user1\b)(?!user2\b)\S* <HOST> port \d+: Too many authentication failures
 error: maximum authentication attempts exceeded for invalid user \s*(?!user1\b)(?!user2\b)\S* from <HOST> port \d+ ssh2 \[preauth\]
 Connection closed by invalid user \s*(?!user1\b)(?!user2\b)\S* <HOST> port \d+ \[preauth\]
 Connection closed by invalid user \S+ <HOST> port \d+ \[preauth\]
 Connection reset by invalid user \s*(?!user1\b)(?!user2\b)\S* <HOST> port \d+ \[preauth\]
 Disconnected from invalid user \s*(?!user1\b)(?!user2\b)\S* <HOST> port \d+ \[preauth\]
 Disconnected from invalid user \S+ <HOST> port \d+ \[preauth\]
 Disconnected from authenticating user \s*(?!user1\b)(?!user2\b)\S* <HOST> port \d+ \[preauth\]
 Connection closed by authenticating user \s*(?!user1\b)(?!user2\b)\S* <HOST> port \d+ \[preauth\]
 Received disconnect from <HOST> port \d+:11:.*\[preauth\]
 Unable to negotiate with <HOST> port \d+: no matching key exchange method found
 Unable to negotiate with <HOST> port \d+: no matching host key type found
 (?:Disconnected from|Connection closed by|Connection reset by) <HOST> port \d+ \[preauth\]
 banner exchange: Connection from <HOST> port \d+: invalid format
 User \s*(?!user1\b)(?!user2\b)\S+ from <HOST> not allowed because not listed in AllowUsers
 drop connection #\d+ from \[<HOST>\]:\d+ on \[\d+\.\d+\.\d+\.\d+\]:\d+ past MaxStartups


ignoreregex =

This regex is designed to catch various SSH-related attacks while ignoring attempts from specified users (user1 and user2).

## Testing Your Configuration

To ensure your custom filter is working correctly, use:

```
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd-more.conf — print-all-missed
```

This command tests your filter against the actual log file and shows any missed entries.

## Conclusion

By implementing these Fail2ban configurations, you’ve significantly enhanced your server’s security against SSH attacks. Remember to regularly review and update your security measures to stay ahead of evolving threats.

For more information on integrating with AbuseIPDB, refer to their [official documentation](https://www.abuseipdb.com/fail2ban.html).

--

--

Bill Liu

Written by Bill Liu

4 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams