Open in app

Sign in

Write

Sign in

Installing and Configuring Fail2ban to secure SSH

Binaya Sharma
4 min readMay 1, 2023

--

Photo by Benjamin Massello on Unsplash

Introduction

Fail2ban is a free and open-source intrusion prevention tool written in python and primarily tasked with prevention against the brute-force attacks. This can be useful when we are constantly bombarded with malicious authentication request to the services such as SSH, web application and other.

Working principles

Fail2ban is a powerful tool that can help secure your server from brute force attacks by monitoring log files such as /var/log/auth.log and /var/log/apache/access.log. This software can detect multiple failed attempts to log in to your system, and then automatically ban the offending IP address for a certain period of time. Fail2ban can perform a variety of actions, including updating Iptable firewall rules, adding IP addresses to TCP Wrapper’s hosts.deny table, sending email notifications, and executing any user-defined actions.

In this post, we will show you how to install and configure Fail2ban to protect your server from brute force login attacks for SSH, and apache basic authentication.

Installation

To install Fail2ban on your server, you will first need to ensure that you have administrative privileges. Once you have confirmed this, you can proceed to install the software using your package manager of choice. For example, on Ubuntu, you can use the following command:

$ sudo apt-get install fail2ban -y

Checking the status

$ sudo systemctl status fail2ban

Configuration

All the configration files are present in the /etc/fail2ban/ directory. You should be able to see the files inside the directories as follows

drwxr-xr-x  2 root root  4096 Apr 26 01:51 action.d
-rw-r--r--  1 root root  2816 Nov 23  2020 fail2ban.conf
drwxr-xr-x  2 root root  4096 Mar 10  2022 fail2ban.d
drwxr-xr-x  3 root root  4096 Apr 26 01:51 filter.d
-rw-r--r--  1 root root 25071 Mar 10  2022 jail.conf
drwxr-xr-x  2 root root  4096 Apr 26 01:51 jail.d
-rw-r--r--  1 root root   645 Nov 23  2020 paths-arch.conf
-rw-r--r--  1 root root  2827 Nov 23  2020 paths-common.conf
-rw-r--r--  1 root root   650 Mar 10  2022 paths-debian.conf
-rw-r--r--  1 root root   738 Nov 23  2020 paths-opensuse.conf

jail.conf is the main configuration files, which consists of the all available options. It contains the configuration files for the services such as HTTP, SSH, FTP, Webmail, WebApplications and other. Some of the most commonly used parameter to fine tune are:

  • bantime: The number of seconds that a host is banned.
  • findtime: A host is banned if it has generated “maxretry” during the “findtime”.
  • maxretry: The numnber of failures before a host get banned.
  • ignoreip: IP address that fail2ban will ignore.
  • port: The service name or port.
  • logpath: Path of log file fail2ban checks for.

Apart from jail.conf, it is recommended to create a cusomt files for each jail and place it in the /etc/fail2ban/jail.d/ directory. This way it will be easy to track the jails and minimizes the chances of mis-configurations.

Configuring Fail2Ban for SSH

On ubuntu, fail2ban for ssh is already configured by default. You can verify if the jail has been enabled or not by using the command:

$ fail2ban-client status
Status of the jail (sshd enabled by default)

However, to configure manually we can create a sshd.conf and place it in the /etc/fail2ban/jail.d/ directory.

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 120
ignoreip = whitelist-IP

Also, we need to restart the service to reflect the changes. This can be done using the command:

$ systemctl restart fail2ban.service

Checking Status of Jails and Banning/Unbanning IPs

We can check the status of the jail using the following command:

$ fail2ban-client status sshd
SSHD jail status

We can test this by delebrately putting the wrong authentication parameter for ssh. After the configured maxretry is reached, the ip will be black listed for the configure bantime.

10.10.5.60 gets banned after 3 retries

Upon the inspection of the fail2ban logs located in /var/log/fail2ban.log, we can see the action taken by fail2ban

2023-05-01 15:26:03,079 fail2ban.filter         [109604]: INFO    [sshd] Found 10.10.5.60 - 2023-05-01 15:26:03
2023-05-01 15:26:03,139 fail2ban.actions        [109604]: NOTICE  [sshd] Ban 10.10.5.60

In-order to remove the IP address we can issue the following command:

$ sudo fail2ban-client set sshd unbanip <REMOTE-IP-ADDRESS>

#In this paticular case

$ sudo fail2ban-client set sshd unbanip 10.10.5.60

We can also ban the specific ip using the following command:

$ sudo fail2ban-client set sshd banip <REMOTE-IP-ADDRESS>

Conclusion

In conclusion, fail2ban is a powerful tool that can greatly enhance the security of your SSH server. By installing and configuring fail2ban, you can prevent brute-force attacks and unauthorized access attempts on your system. With fail2ban, you can specify rules to block IPs that show malicious behavior and provide added layers of security for your SSH server.

Overall, fail2ban is a valuable addition to any SSH server and is well worth the effort to set up and configure properly. With fail2ban in place, you can rest assured that your SSH server is well-protected against malicious attacks and unauthorized access attempts.

Fail2ban
Sshd
Security

--

--

Binaya Sharma

Written by Binaya Sharma

7 Followers

Hi, I'm Binaya, a passionate DevOps engineer with a focus on DevOps space. I'm constantly exploring new tools.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams