Improving Security: Password, Firewall and Fail2Ban

Hardening your server

These steps are assuming you already ran:

sudo apt update && apt upgrade

If you have not yet run the above command, do so now.

1. Change the password when you first login

Some cloud services give you login information in plain text through email. You need to change the password. Type:

passwd

The input your new password when prompted.

3. Configure your firewall using ufw

Digital Ocean has an easy website UI to configure the firewall for a droplet. Other service providers require you do it. First install ufw (many have it already installed).

sudo apt install ufw

Next set up the rules.

sudo ufw allow 6000/tcp
sudo ufw allow 9000/tcp

NOTE: This next command opens port 22 for SSH. Some change this for security reasons (See Part 2). If you change your SSH port, you need to change this command to that port number.

sudo ufw allow 22

Next enable ufw.

sudo ufw enable

Check the rules.

sudo ufw status

By default, ufw will close all other ports. If you need to open more, you need to add them.

2. Install fail2ban to reduce brute force attacks

sudo apt-get install -y fail2ban

The configuration files of Fail2Ban are located in the directory “/etc/fail2ban/”. The global configuration file is the file called “jail.conf”, but it’s overwritten when you update Fail2Ban. Therefore, the configuration must be done in the “jail.local” file. Copy the file “jail.conf” with the command

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the file jail.local. By typing:

sudo nano /etc/fail2ban/jail.local

The global parameters can be found on line 44 where you can globally define after how many failed login attempts an IP address should be banned and also how long this ban should last. However, you can override these values individually for each service and what you are interested mostly in is the SSH service in the “SSH” section (starting at line 276).

Configure the jail.local file (don’t copy/paste the example) read down further below and fully understand the settings:

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 23.34.45.56

For the parameter, enable = true by default, the Fail2Ban protection is disabled for all services, so you have to enable it for the SSH service. To do this, go to the “[sshd]” section starting at line 276 of this configuration file and add the line enabled = true.

For the parameter, maxretry = 5 and finetime = 10m, the “findtime” parameter allows you to specify the period of time in which the amount of failed logins defined by the “maxretry” parameter must occur so that an IP address is banned. By default, the value for the “findtime” is 10 minutes (“10 m”) and “maxretry” is set to 5. This means that an IP address will be banned if 5 failed login attempts are made within 10 minutes. Edit the parameters as suggested in the example above or change as desired.

For the parameter, bantime = 4w the “bantime” is the time frame that an IP address will be banned. The default is 10 minutes (“10m”). It’s recommended to set this value to 4 weeks (“4w”).

For the parameter ignoreip = 127.0.0.1/8 23.34.45.56, remove 23.34.45.56 and add your IP. This prevents you from triggering a ban on yourself. However, realize that most home internet services do not provide a static ip address and this file will need to be updated when your home ip changes.

For more information about what all those settings do, read here. The linked resource also is great in explaining how to use other fail2ban commands and configurations.

Save the file by CTRL+X and then press y to save when prompted.

Start and enable the fail2ban service.

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Whenever you make changes to the jail.local, restart fail2ban to activate the settings.

sudo systemctl restart fail2ban

In the log file of Fail2Ban at “/var/log/fail2ban.log” you can see what actions have been taken by Fail2Ban (e.g. banning an IP address). You can open this file to see by typing:

sudo fail2ban-client status sshd

You can also use Fail2Ban to manually ban or unban IP addresses for the SSH server. Use the command fail2ban-client set sshd banip 123.123.123.123 to ban an IP address and fail2ban-client set sshd unbanip 123.123.123.123 to unban it. Instead of "123.123.123.123" you need to specify the IP address you want to ban or unban.

Congratulations you’ve increased your security! Please provide any questions or comments below.

If you need to setup SSH Keys, you can go to Improving Security on Your Server Part 2 in order to do so.

Credit to: https://www.bennetrichter.de/en/tutorials/ssh-server-fail2ban-linux/