In this tutorial we're going to look at how to install fail2ban to protect the ssh service from bruteforce attacks.
First we enable rsyslog on the server, to make sure that the ssh login attempts are logged.
[ Wonderland ] [ /dev/pts/5 ] [/var/log]
→ sudo apt-get install rsyslog -y
[ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog]
→ ssh root@192.168.0.100 -i ~/.ssh/torified
Enter passphrase for key '/home/nihilist/.ssh/torified':
[ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog]
→ ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222
Enter passphrase for key '/home/nihilist/.ssh/torified':
[ Wonderland ] [ /dev/pts/5 ] [/var/log]
→ tail -f auth.log | grep "port 22"
2024-03-30T19:09:31.673606+01:00 wonderland sshd[252531]: Connection from 192.168.0.61 port 51258 on 192.168.0.100 port 22 rdomain ""
2024-03-30T19:09:34.365325+01:00 wonderland sshd[252629]: Connection from 192.168.0.61 port 56804 on 192.168.0.100 port 2222 rdomain ""
Then we install fail2ban to make sure that ssh can't be bruteforced:
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ apt install fail2ban
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Mon 2023-07-10 21:15:03 CEST; 19s ago
Docs: man:fail2ban(1)
Main PID: 94740 (fail2ban-server)
Tasks: 5 (limit: 77000)
Memory: 31.7M
CPU: 174ms
CGroup: /system.slice/fail2ban.service
└─94740 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Jul 10 21:15:03 Datura systemd[1]: Started fail2ban.service - Fail2Ban Service.
Jul 10 21:15:03 Datura fail2ban-server[94740]: 2023-07-10 21:15:03,092 fail2ban.configreader [94740]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Jul 10 21:15:03 Datura fail2ban-server[94740]: Server ready
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ vim /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1
Then just restart your fail2ban service
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ systemctl restart fail2ban
Then you can test if the ssh bruteforce attempts are being stopped or not:
root@web-gw:~# ssh root@116.202.216.190
The authenticity of host '116.202.216.190 (116.202.216.190)' can't be established.
ED25519 key fingerprint is SHA256:63Qqh42ab1AnK9iN83ZQMfNDTeTjbFFvaUEZSm9OZQI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '116.202.216.190' (ED25519) to the list of known hosts.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
root@116.202.216.190: Permission denied (publickey,password).
root@web-gw:~# ssh root@116.202.216.190
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
root@116.202.216.190: Permission denied (publickey,password).
root@web-gw:~#
root@web-gw:~#
root@web-gw:~# ssh root@116.202.216.190
ssh: connect to host 116.202.216.190 port 22: Connection refused
root@web-gw:~#
root@web-gw:~#
root@web-gw:~#
root@web-gw:~#
root@web-gw:~# ssh root@116.202.216.190
ssh: connect to host 116.202.216.190 port 22: Connection refused
root@web-gw:~#
And it does! and you can check that in the logs in /var/log/fail2ban.log:
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ tail -f /var/log/fail2ban.log -n50
2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO --------------------------------------------------
2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO Starting Fail2ban v1.0.2
2023-07-10 21:15:03,108 fail2ban.observer [94740]: INFO Observer start...
2023-07-10 21:15:03,110 fail2ban.database [94740]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-07-10 21:15:03,112 fail2ban.database [94740]: WARNING New database created. Version '4'
2023-07-10 21:15:03,112 fail2ban.jail [94740]: INFO Creating new jail 'sshd'
2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Jail 'sshd' uses poller {}
2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Initiated 'polling' backend
2023-07-10 21:15:03,228 fail2ban.filter [94740]: INFO maxLines: 1
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO maxRetry: 5
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO findtime: 600
2023-07-10 21:15:03,236 fail2ban.actions [94740]: INFO banTime: 600
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO encoding: UTF-8
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO Added logfile: '/var/log/auth.log' (pos = 0, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f)
2023-07-10 21:15:03,238 fail2ban.jail [94740]: INFO Jail 'sshd' started
2023-07-10 21:15:03,342 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:51
2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:53
2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:27
2023-07-10 21:15:03,344 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:30
2023-07-10 21:21:38,514 fail2ban.server [94740]: INFO Shutdown in progress...
2023-07-10 21:21:38,514 fail2ban.observer [94740]: INFO Observer stop ... try to end queue 5 seconds
2023-07-10 21:21:38,534 fail2ban.observer [94740]: INFO Observer stopped, 0 events remaining.
2023-07-10 21:21:38,574 fail2ban.server [94740]: INFO Stopping all jails
2023-07-10 21:21:38,574 fail2ban.filter [94740]: INFO Removed logfile: '/var/log/auth.log'
2023-07-10 21:21:39,300 fail2ban.actions [94740]: NOTICE [sshd] Flush ticket(s) with iptables-multiport
2023-07-10 21:21:39,300 fail2ban.jail [94740]: INFO Jail 'sshd' stopped
2023-07-10 21:21:39,300 fail2ban.database [94740]: INFO Connection to database closed.
2023-07-10 21:21:39,300 fail2ban.server [94740]: INFO Exiting Fail2ban
2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO --------------------------------------------------
2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO Starting Fail2ban v1.0.2
2023-07-10 21:21:39,461 fail2ban.observer [94842]: INFO Observer start...
2023-07-10 21:21:39,466 fail2ban.database [94842]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-07-10 21:21:39,467 fail2ban.jail [94842]: INFO Creating new jail 'sshd'
2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Jail 'sshd' uses poller {}
2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Initiated 'polling' backend
2023-07-10 21:21:39,557 fail2ban.filter [94842]: INFO maxLines: 1
2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO maxRetry: 3
2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO findtime: 300
2023-07-10 21:21:39,565 fail2ban.actions [94842]: INFO banTime: 3600
2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO encoding: UTF-8
2023-07-10 21:21:39,566 fail2ban.filter [94842]: INFO Added logfile: '/var/log/auth.log' (pos = 378650, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f)
2023-07-10 21:21:39,566 fail2ban.jail [94842]: INFO Jail 'sshd' started
2023-07-10 21:25:29,417 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29
2023-07-10 21:25:29,418 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29
2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30
2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30
2023-07-10 21:25:31,601 fail2ban.actions [94842]: NOTICE [sshd] Ban 23.137.250.141
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)