Sign in to follow this  
Followers 0
zeke

HOW TO INSTALL FAIL2BAN TO PROTECT SERVER FROM BRUTE FORCE SSH LOGIN ATTEMPTS (UBUNTU)

Rate this topic

1 post in this topic

Fail2Ban is a simple script designed to scan log files for repeated failed login attempts and to ban IP addresses that make too many failures. Commonly that’s a brute force attempt to find correct password combination to login to a server via SSH. 

Step 1 – Login to your server via your favorite SSH client. Windows users can simply use Putty, it is free, small, portable and awesome. If you’ve disabled root login, then simply login with the username you setup then type “su” followed by entering your root password.

Step 2 – Now issue this command syntax to install fail2ban on your server:

You may firstly need to update your apt (not necessary but you may):

apt-get update

then this command is the one to install fail2ban

apt-get install fail2ban

screenshot:

fail2ban-install.jpg

Step 3 – Now you have to setup Fail2ban’s configuration. By default, Fail2ban configuration has included many of possible services that may need the protection. Before you make changes to default config file, you have to make a copy first. Issue following command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

It should look like this

fail2band-copy-config.jpg

Step 4 – The command above copies “jail.conf” file to “jail.local” which you can make some changes to the config there.  Now edit that file using our favorite text editor, Nano:

nano /etc/fail2ban/jail.local

It should look like this..

fail2ban-jail-local.jpg

Step 5 – Now make some changes (if you wish and if you need to) in the first section of the config. The first section called “DEFAULT” which is covering all basic rules that fail2ban will follow.

The main important part is “ignore ip”. You can add your own IP address there so in case if you forgot the password you won’t be banned for trying some combinations no matter how many times you try. It means by adding your IP in the white list you can avoid accidentally ban yourself.

fail2ban-ignoreip.jpg

Also do not forget to set “bantime” which rules how many seconds a banned user will still been locked out. Default value is 600 seconds or 10 minutes. You can adjust that value as you wish but you better raise the value because most of brute force bots will simply move on to the next target once banned by the server.

Below “bantime” line is “maxretry”. This line defines how the amount of incorrect login attempts that a single IP may have before it gets banned for the length of the ban time you’ve defined. Default value is “3” but you can lower that value to “2” or “1”. The lower is better but make sure you white-listed your IP already in the “ignore ip” line above.

The next line is “backend” which you can simply leave its value as “auto”. Now move to another line, “destemail”. In this line you can define to which email address all alerts will be sent. Simply change root@localhost to your own personal email address. But you have to make sure that your server has a working mail server already to be able to send outgoing email. 

Step 6 – Now move to the next section which is “Action”. Well, you can simply leave those lines as it is if you don’t really sure. All default value should be adequate for fail2ban to work correctly. Now you have to move a little bit down below and find the [ssh] section.

fail2band-ssh-protection.jpg

You also don’t have to change that section. Its default values indicating that SSH protection is currently enabled / ON. You can change “enabled = true” to false if you want to turn OFF the protection.

You can change the “port = ssh” line to the custom port number your SSH connection is designated. For instance, you’ve changed default SSH port from 22 to 2200, then change it to “port = 2200”

Once done editing, hit Control+O to save then Control+X to exit Nano editor screen.

Step 7 – That’s it. Now to make sure Fail2ban loads your newly defined config, simply do a restart. Issue this command:

service fail2ban restart

fail2ban-restart.jpg

Q: I rebooted the server, does it starts automatically?

Yes, Fail2ban service will automatically start each time your server reboots.

That’s it.

0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0