Secure SSH login on Debian with fail2ban

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

fail2ban, which is a tool written in Python, pursues the target to secure server services against DoS attacks. It verifies log files according to predefined patterns and temporarily blocks the relevant IP addresses if access attempts fail repeatedly. This article explains how to secure a Debian based server with fail2ban. The used version from fail2ban is 1.0.2-2 on Debian 12.

Problem

When executing the command "journalctl -u ssh", multiple failed login attempts appear with the protocol SSH that were not written by you. 

Feb 19 09:21:15 servername sshd[22796]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.207.xx.xx  user=root
Feb 19 09:21:17 servername sshd[22796]: Failed password for root from 218.207.xx.xx port 22 ssh2

Explanation

  • The removed user (accidentally) used the wrong server IP and accidentally tried to log in to your server. The number of login attempts is usually low here.
  • You are the victim of a Brute Force attack, which automatically attempts to log in using the root user and various passwords (for example from so-called dictionary files). The number of login attempts is noticeably high here.

Solution

Secure your SSH login with the fail2ban tool, Prohibit SSH root login on Debian or only login with SSH public key authentication under Ubuntu.

What is fail2ban

fail2ban is a tool written in Python that secures different server services against unauthorized access. In the configuration example below, an IP address is blocked for one hour after 4 failed login attempts for SSH have occurred.

Installation of fail2ban

sudo apt install fail2ban

Configuration of fail2ban

In the /etc/fail2ban/ folder, you will find the global configuration file jail.conf. However, this file cannot be edited, since it is overwritten every time the package is updated. The own configuration can be made in the "jail.local". 

# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local>

Hierzu kopieren Sie die "jail.conf" nach "jail.local". 

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Verify the settings on your local IP address of your server. The duration for which an IP address should be blocked is increased to an hour in our example and the number of blocks to be created is reduced to 3. Similarly, the Banaction must be changed from "iptables" to "nftables" when configuring. This configuration must be made in the following section of the jail.local file: 

[...]
[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[...]

banaction = nftables-multiport
banaction_allports = nftables-allports

You can adjust the parameters for individual services (as here in the SSH daemon article) separately.

Now, in the section for the SSH daemon in your own jail.local configuration file (which you copied earlier), add the necessary parameters to monitor it via fail2ban: 

[...]
#
# SSH servers
#

[sshd]

enabled	= true
port    = ssh
# filter	= sshd
logpath	= %(sshd_log)s
backend = systemd
maxretry = 4
[...]

After this, restart fail2ban so that the changes are applied.

sudo systemctl restart fail2ban.service


Author: Thomas-Krenn.AG

At Thomas-Krenn.AG we pay attention to the best possible service. To do justice to this, we have created our Thomas-Krenn Wiki. Here we share our knowledge with you and inform you about basics and news from the IT world. You like our knowledge culture and want to become part of the team? Visit our job offers.

 

Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

Creating mailing lists in Mailman
Show article
Raspi-firmware: missing /boot/firmware, did you forget to mount it
Show article
Setup Postfix in Debian
Show article