Previous Page

nihilist - 10 / 07 / 2023

fail2banssh Setup

In this tutorial we're going to look at how to install fail2ban to protect the ssh service from bruteforce attacks.

Initial Setup

First we enable rsyslog on the server, to make sure that the ssh login attempts are logged.


[ Wonderland ] [ /dev/pts/5 ] [/var/log]
→ sudo apt-get install rsyslog -y


[ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog]
→ ssh root@192.168.0.100 -i ~/.ssh/torified
Enter passphrase for key '/home/nihilist/.ssh/torified':


[ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog]
→ ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222
Enter passphrase for key '/home/nihilist/.ssh/torified':

[ Wonderland ] [ /dev/pts/5 ] [/var/log]
→ tail -f auth.log | grep "port 22"
2024-03-30T19:09:31.673606+01:00 wonderland sshd[252531]: Connection from 192.168.0.61 port 51258 on 192.168.0.100 port 22 rdomain ""
2024-03-30T19:09:34.365325+01:00 wonderland sshd[252629]: Connection from 192.168.0.61 port 56804 on 192.168.0.100 port 2222 rdomain ""

Then we install fail2ban to make sure that ssh can't be bruteforced:


[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ apt install fail2ban

[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Mon 2023-07-10 21:15:03 CEST; 19s ago
       Docs: man:fail2ban(1)
   Main PID: 94740 (fail2ban-server)
      Tasks: 5 (limit: 77000)
     Memory: 31.7M
        CPU: 174ms
     CGroup: /system.slice/fail2ban.service
             └─94740 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jul 10 21:15:03 Datura systemd[1]: Started fail2ban.service - Fail2Ban Service.
Jul 10 21:15:03 Datura fail2ban-server[94740]: 2023-07-10 21:15:03,092 fail2ban.configreader   [94740]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Jul 10 21:15:03 Datura fail2ban-server[94740]: Server ready

[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ vim /etc/fail2ban/jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1

	

Then just restart your fail2ban service


[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ systemctl restart fail2ban	

Then you can test if the ssh bruteforce attempts are being stopped or not:


root@web-gw:~# ssh root@116.202.216.190
The authenticity of host '116.202.216.190 (116.202.216.190)' can't be established.
ED25519 key fingerprint is SHA256:63Qqh42ab1AnK9iN83ZQMfNDTeTjbFFvaUEZSm9OZQI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '116.202.216.190' (ED25519) to the list of known hosts.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
root@116.202.216.190: Permission denied (publickey,password).
root@web-gw:~# ssh root@116.202.216.190
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
root@116.202.216.190: Permission denied (publickey,password).
root@web-gw:~#
root@web-gw:~#
root@web-gw:~# ssh root@116.202.216.190
ssh: connect to host 116.202.216.190 port 22: Connection refused
root@web-gw:~#
root@web-gw:~#
root@web-gw:~#
root@web-gw:~#
root@web-gw:~# ssh root@116.202.216.190
ssh: connect to host 116.202.216.190 port 22: Connection refused
root@web-gw:~#
	

And it does! and you can check that in the logs in /var/log/fail2ban.log:


[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ tail -f /var/log/fail2ban.log -n50
2023-07-10 21:15:03,108 fail2ban.server         [94740]: INFO    --------------------------------------------------
2023-07-10 21:15:03,108 fail2ban.server         [94740]: INFO    Starting Fail2ban v1.0.2
2023-07-10 21:15:03,108 fail2ban.observer       [94740]: INFO    Observer start...
2023-07-10 21:15:03,110 fail2ban.database       [94740]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-07-10 21:15:03,112 fail2ban.database       [94740]: WARNING New database created. Version '4'
2023-07-10 21:15:03,112 fail2ban.jail           [94740]: INFO    Creating new jail 'sshd'
2023-07-10 21:15:03,227 fail2ban.jail           [94740]: INFO    Jail 'sshd' uses poller {}
2023-07-10 21:15:03,227 fail2ban.jail           [94740]: INFO    Initiated 'polling' backend
2023-07-10 21:15:03,228 fail2ban.filter         [94740]: INFO      maxLines: 1
2023-07-10 21:15:03,236 fail2ban.filter         [94740]: INFO      maxRetry: 5
2023-07-10 21:15:03,236 fail2ban.filter         [94740]: INFO      findtime: 600
2023-07-10 21:15:03,236 fail2ban.actions        [94740]: INFO      banTime: 600
2023-07-10 21:15:03,236 fail2ban.filter         [94740]: INFO      encoding: UTF-8
2023-07-10 21:15:03,236 fail2ban.filter         [94740]: INFO    Added logfile: '/var/log/auth.log' (pos = 0, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f)
2023-07-10 21:15:03,238 fail2ban.jail           [94740]: INFO    Jail 'sshd' started
2023-07-10 21:15:03,342 fail2ban.filter         [94740]: INFO    [sshd] Found 219.157.95.77 - 2023-07-10 21:05:51
2023-07-10 21:15:03,343 fail2ban.filter         [94740]: INFO    [sshd] Found 219.157.95.77 - 2023-07-10 21:05:53
2023-07-10 21:15:03,343 fail2ban.filter         [94740]: INFO    [sshd] Found 141.98.11.113 - 2023-07-10 21:14:27
2023-07-10 21:15:03,344 fail2ban.filter         [94740]: INFO    [sshd] Found 141.98.11.113 - 2023-07-10 21:14:30
2023-07-10 21:21:38,514 fail2ban.server         [94740]: INFO    Shutdown in progress...
2023-07-10 21:21:38,514 fail2ban.observer       [94740]: INFO    Observer stop ... try to end queue 5 seconds
2023-07-10 21:21:38,534 fail2ban.observer       [94740]: INFO    Observer stopped, 0 events remaining.
2023-07-10 21:21:38,574 fail2ban.server         [94740]: INFO    Stopping all jails
2023-07-10 21:21:38,574 fail2ban.filter         [94740]: INFO    Removed logfile: '/var/log/auth.log'
2023-07-10 21:21:39,300 fail2ban.actions        [94740]: NOTICE  [sshd] Flush ticket(s) with iptables-multiport
2023-07-10 21:21:39,300 fail2ban.jail           [94740]: INFO    Jail 'sshd' stopped
2023-07-10 21:21:39,300 fail2ban.database       [94740]: INFO    Connection to database closed.
2023-07-10 21:21:39,300 fail2ban.server         [94740]: INFO    Exiting Fail2ban
2023-07-10 21:21:39,461 fail2ban.server         [94842]: INFO    --------------------------------------------------
2023-07-10 21:21:39,461 fail2ban.server         [94842]: INFO    Starting Fail2ban v1.0.2
2023-07-10 21:21:39,461 fail2ban.observer       [94842]: INFO    Observer start...
2023-07-10 21:21:39,466 fail2ban.database       [94842]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-07-10 21:21:39,467 fail2ban.jail           [94842]: INFO    Creating new jail 'sshd'
2023-07-10 21:21:39,556 fail2ban.jail           [94842]: INFO    Jail 'sshd' uses poller {}
2023-07-10 21:21:39,556 fail2ban.jail           [94842]: INFO    Initiated 'polling' backend
2023-07-10 21:21:39,557 fail2ban.filter         [94842]: INFO      maxLines: 1
2023-07-10 21:21:39,565 fail2ban.filter         [94842]: INFO      maxRetry: 3
2023-07-10 21:21:39,565 fail2ban.filter         [94842]: INFO      findtime: 300
2023-07-10 21:21:39,565 fail2ban.actions        [94842]: INFO      banTime: 3600
2023-07-10 21:21:39,565 fail2ban.filter         [94842]: INFO      encoding: UTF-8
2023-07-10 21:21:39,566 fail2ban.filter         [94842]: INFO    Added logfile: '/var/log/auth.log' (pos = 378650, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f)
2023-07-10 21:21:39,566 fail2ban.jail           [94842]: INFO    Jail 'sshd' started
2023-07-10 21:25:29,417 fail2ban.filter         [94842]: INFO    [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29
2023-07-10 21:25:29,418 fail2ban.filter         [94842]: INFO    [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29
2023-07-10 21:25:31,419 fail2ban.filter         [94842]: INFO    [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30
2023-07-10 21:25:31,419 fail2ban.filter         [94842]: INFO    [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30
2023-07-10 21:25:31,601 fail2ban.actions        [94842]: NOTICE  [sshd] Ban 23.137.250.141

Nihilism

Until there is Nothing left.



Creative Commons Zero: No Rights Reserved

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)