wikiSecuring SSH login under Debian with fail2ban
The tool fail2ban, which is written in Python, pursues the target to secure server services against DoS attacks. It checks log data after pre defined patterns and blocks the corresponding IP addresses temporarily in the event of repeated failed access. This article shows how to safe a Debian based server with fail2ban. The used version of fail2ban is 0.9.6-2 under Debian 9.1.
Problem
Several failed login attempts with the log SSH, which do not come from you, occur in the log file "/var/log/auth.log"
Feb 19 09:21:15 servername sshd[22796]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.207.xx.xx user=root Feb 19 09:21:17 servername sshd[22796]: Failed password for root from 218.207.xx.xx port 22 ssh2
Explanation
- The removed user has (accidentally) used a wrong server IP and erroneously tries to log in to your server. Here, the number of login attempts is mostly low.
- You are the victim of a brute force attack in which an automatic login with user root and various passwords (e.g. from so-called dictionary files) is attempted. Here, the number of login attemps is recognizably high.
Solution
Safe your SSH login with the tool fail2ban prohibit direct Root login or only log in with public-key-procedure
What is Fail2Ban
Fail2Ban is a programm, which is written in Python, that can secure different server services against unauthorized access. In the configuration example below, an IP address is blocked for one hour after 4 failed login attempts to connect to SSH from this address.
Installation of Fail2Ban
sudo apt install fail2banConfiguration Fail2Ban
In the file /etc/fail2ban/, you can find the global configuration file jail.conf. This file cannot be edited, as it is overwritten each time the package is updated. The own configuration happens in the file "jail.local".
# To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local>
For this, copy "jail.conf" to "jail.local".
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localVerify the settings for the local IP address of your server. In our example, the time for which an IP is to be blocked is increased to one hour and the number of attempts after which it is to be blocked is reduced to 3. This configuration is to be made in the following section of the file jail.local:
[...] [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 [...]
You can adapt the parameters for single services (as described in the SSH daemon article).
Now, add the required parameters to the SSH daemon section below in the previously copied jail.local configuration file in order to monitor it via fail2ban:
[...] # # SSH servers # [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4 [...]
Restart fail2ban so that the changes are adopted.
sudo systemctl restart fail2ban.service
 |
Author: Thomas-Krenn.AG At Thomas-Krenn.AG we pay attention to the best possible service. To do justice to this, we have created our Thomas-Krenn Wiki. Here we share our knowledge with you and inform you about basics and news from the IT world. You like our knowledge culture and want to become part of the team? Visit our job offers.
|
