Installing and Configuring Fail2ban to secure SSH
Introduction
Fail2ban is a free and open-source intrusion prevention tool written in python and primarily tasked with prevention against the brute-force attacks. This can be useful when we are constantly bombarded with malicious authentication request to the services such as SSH, web application and other.
Working principles
Fail2ban is a powerful tool that can help secure your server from brute force attacks by monitoring log files such as /var/log/auth.log and /var/log/apache/access.log. This software can detect multiple failed attempts to log in to your system, and then automatically ban the offending IP address for a certain period of time. Fail2ban can perform a variety of actions, including updating Iptable firewall rules, adding IP addresses to TCP Wrapper’s hosts.deny table, sending email notifications, and executing any user-defined actions.
In this post, we will show you how to install and configure Fail2ban to protect your server from brute force login attacks for SSH, and apache basic authentication.
Installation
To install Fail2ban on your server, you will first need to ensure that you have administrative privileges. Once you have confirmed this, you can proceed to install the software using your package manager of choice. For example, on Ubuntu, you can use the following command:
$ sudo apt-get install fail2ban -y
Checking the status
$ sudo systemctl status fail2ban
Configuration
All the configration files are present in the /etc/fail2ban/ directory. You should be able to see the files inside the directories as follows
drwxr-xr-x 2 root root 4096 Apr 26 01:51 action.d
-rw-r--r-- 1 root root 2816 Nov 23 2020 fail2ban.conf
drwxr-xr-x 2 root root 4096 Mar 10 2022 fail2ban.d
drwxr-xr-x 3 root root 4096 Apr 26 01:51 filter.d
-rw-r--r-- 1 root root 25071 Mar 10 2022 jail.conf
drwxr-xr-x 2 root root 4096 Apr 26 01:51 jail.d
-rw-r--r-- 1 root root 645 Nov 23 2020 paths-arch.conf
-rw-r--r-- 1 root root 2827 Nov 23 2020 paths-common.conf
-rw-r--r-- 1 root root 650 Mar 10 2022 paths-debian.conf
-rw-r--r-- 1 root root 738 Nov 23 2020 paths-opensuse.conf
jail.conf is the main configuration files, which consists of the all available options. It contains the configuration files for the services such as HTTP, SSH, FTP, Webmail, WebApplications and other. Some of the most commonly used parameter to fine tune are:
- bantime: The number of seconds that a host is banned.
- findtime: A host is banned if it has generated “maxretry” during the “findtime”.
- maxretry: The numnber of failures before a host get banned.
- ignoreip: IP address that fail2ban will ignore.
- port: The service name or port.
- logpath: Path of log file fail2ban checks for.
Apart from jail.conf, it is recommended to create a cusomt files for each jail and place it in the /etc/fail2ban/jail.d/ directory. This way it will be easy to track the jails and minimizes the chances of mis-configurations.
Configuring Fail2Ban for SSH
On ubuntu, fail2ban for ssh is already configured by default. You can verify if the jail has been enabled or not by using the command:
$ fail2ban-client status
However, to configure manually we can create a sshd.conf and place it in the /etc/fail2ban/jail.d/ directory.
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 120
ignoreip = whitelist-IP
Also, we need to restart the service to reflect the changes. This can be done using the command:
$ systemctl restart fail2ban.service
Checking Status of Jails and Banning/Unbanning IPs
We can check the status of the jail using the following command:
$ fail2ban-client status sshd
We can test this by delebrately putting the wrong authentication parameter for ssh. After the configured maxretry is reached, the ip will be black listed for the configure bantime.
Upon the inspection of the fail2ban logs located in /var/log/fail2ban.log, we can see the action taken by fail2ban
2023-05-01 15:26:03,079 fail2ban.filter [109604]: INFO [sshd] Found 10.10.5.60 - 2023-05-01 15:26:03
2023-05-01 15:26:03,139 fail2ban.actions [109604]: NOTICE [sshd] Ban 10.10.5.60
In-order to remove the IP address we can issue the following command:
$ sudo fail2ban-client set sshd unbanip <REMOTE-IP-ADDRESS>
#In this paticular case
$ sudo fail2ban-client set sshd unbanip 10.10.5.60
We can also ban the specific ip using the following command:
$ sudo fail2ban-client set sshd banip <REMOTE-IP-ADDRESS>
Conclusion
In conclusion, fail2ban is a powerful tool that can greatly enhance the security of your SSH server. By installing and configuring fail2ban, you can prevent brute-force attacks and unauthorized access attempts on your system. With fail2ban, you can specify rules to block IPs that show malicious behavior and provide added layers of security for your SSH server.
Overall, fail2ban is a valuable addition to any SSH server and is well worth the effort to set up and configure properly. With fail2ban in place, you can rest assured that your SSH server is well-protected against malicious attacks and unauthorized access attempts.