Hello there. Welcome to our tutorial on how to protect SSH server authentication with fail2ban on Ubuntu 18.04.<\/p>\n\n\n\n
Fail2ban<\/a> is intrusion prevention tool written in Python programming language to protect servers or any service that requires authentication from brute-force attacks. Fail2ban scans the server\/service logs for any abnormally and ban any malicious IP associated with it. For example multiple SSH failed login attempts.<\/p>\n\n\n\n It achieves this by adjusting the firewall rules to reject any further attempt by the malicious host to authenticate to the same system or a service for a defined period of time. It can also be configure to sent notifications on the same.<\/p>\n\n\n\n As much as fail2ban mitigates such malicious issues as brute-forcing, it doesn’t alleviate any susceptibility to risks posed to your server\/service by the weak authentication mechanisms. Therefore, ensure that you implement good authentication mechanisms for your systems\/services.<\/p>\n\n\n\n Fail2ban is available on the default Ubuntu 18.04 repositories and can simply be installed by running the command below;<\/p>\n\n\n\n The configuration files for fail2ban are located under In order to configure fail2ban to protect specific services, copy the Therefore, you can copy the main configuration file, You can however use the The To customize your These parameters are described below;<\/p>\n\n\n\n In order to define settings that applies only to a specific service for example SSH, you need to create a section for that service. By default, the SSH service is enabled while all other services are disabled. To block the failed login attempts on the SSH server, create a jail like as shown below.<\/p>\n\n\n\n [ssh]<\/p>\n\n\n\n \nenabled = true \nport = ssh \nfilter = sshd \nlogpath = \/var\/log\/auth.log\n<\/p>\n\n\n\n The parameters used are described below;<\/p>\n\n\n\n Once you are done with configurations , save the configuration file and start and enable fail2ban to run on system boot.<\/p>\n\n\n\n As you can see under ACTIONS, fail2ban uses Fail2ban operates in a client-server model. The server program To check for banning status, run the command below;<\/p>\n\n\n\n This will show you the jails that have been activated. In this case, sshd<\/strong>.<\/p>\n\n\n\n Banning can also be done manually using the If you can check the status of the jail now, you will find out a list of banned IPs.<\/p>\n\n\n\n To unblock the IP,<\/p>\n\n\n\n Before you can conclude that fail2ban is actually working, you need to test it out. Therefore, based on our defined settings above, for an IP to be banned, it has to try at least 5 failed login attempts in five mins. Therefore, you can try to failed ssh logins to your server and check the status of the jail.<\/p>\n\n\n\n You can also check the fail2ban log entry;<\/p>\n\n\n\n Once you have been blocked and try to ssh again,<\/p>\n\n\n\n Well, from the output above, you can see that fail2ban works fine. Feel free to explore more about this beautiful tool. That is all it takes to protect your SSH server with Fail2ban. In our next article, we will see how to protect other services in the same way. Thanks for reading. We hope this was informative.<\/p>\n\n\n\n Install and Configure Snort 3 NIDS on Ubuntu 20.04<\/a><\/p>\n\n\n\n Install and Configure AIDE on Ubuntu 20.04<\/a><\/p>\n\n\n\nInstall Fail2Ban on Ubuntu 18.04<\/h2>\n\n\n\n
sudo apt update\nsudo apt install fail2ban -y<\/pre>\n\n\n\n
Configure fail2ban<\/h2>\n\n\n\n
\/etc\/fail2ban<\/code> directory with jail.conf<\/code> being the main configuration file.<\/p>\n\n\n\njail.conf<\/code> to custom jail.local<\/code> configuration file. Direct modification of *.conf<\/code> files is not recommended since in case of an upgrade, they will be overwritten and changes made in them will be lost.<\/p>\n\n\n\njail.conf<\/code> to jail.local<\/code> and make your own customizations or you can simply create a new custom configuration and define only settings you wish to overwrite in the main .conf<\/code>.<\/p>\n\n\n\nvim \/etc\/fail2ban\/jail.local<\/pre>\n\n\n\n
jail.conf<\/code> to guide you on settings you would like to override.<\/p>\n\n\n\nFail2ban Global Settings<\/h3>\n\n\n\n
[DEFAULT]<\/code> section of the configuration file defines settings that are applied to all the services that are protected by fail2ban. In this section, you may want to override settings like ignoreip<\/code>, bantime<\/code>, findtime<\/code>, maxretry<\/code> , destemail<\/code>, sender<\/code>, mta<\/code>, action<\/code> settings.<\/p>\n\n\n\njail.local<\/code>, edit it and put the following contents<\/p>\n\n\n\n[DEFAULT]\nignoreip = 192.168.43.149\nbantime = 1440m\nfindtime = 5m\nmaxretry = 5\ndestemail = admin@example.com\nsender = fail2ban@<fq-hostname>\nmta = postfix<\/pre>\n\n\n\n
\n
ignoreip<\/code> – This is used to define IP addresses that are exempted from being banned by fail2ban. Mulitple IP addresses can be defined using space separator. Fail2ban doesnt ban any host by default.<\/li>\n\n\n\nbantime<\/code> – Defines how long a host is blocked when it fails to authenticate correctly to the server. It is usually 10 minutes by default.<\/li>\n\n\n\nfindtime<\/code> – Defines a time window period in which a host is blocked if it generates a specific number of authentication retries defined by maxretry<\/code> parameter. It is usually 10 minutes by default.<\/li>\n\n\n\nmaxretry<\/code> – Defines a maximum number of failures before a host is blocked. The default is 3.<\/li>\n\n\n\ndestemail<\/code> – It specifies an email address to sent notifications to in case you want to be notified whenever a host is banned.<\/li>\n\n\n\nsender<\/code> – This parameter defines the value of the “From” field in the email sent.<\/li>\n\n\n\nmta<\/code> – Specifies the mail transfer agent for mailing.<\/li>\n<\/ul>\n\n\n\nConfigure SSH Jail Settings<\/h3>\n\n\n\n
# SSH Jail to block multiple failed login attempts\n<\/pre>\n\n\n
\n
enabled<\/code> : This option turns on SSH server protection.<\/li>\n\n\n\nport<\/code> : Defines the service that fail2ban is set to monitor<\/li>\n\n\n\nfilter<\/code> : Defines the configuration file located in the \/etc\/fail2ban\/filter.d\/<\/code> directory that fail2ban uses to find matches and in this case, \/etc\/fail2ban\/filter.d\/sshd<\/span>.<\/span>conf<\/span><\/span><\/span><\/code>.<\/span><\/li>\n\n\n\nlogpath<\/code> : This parameter specifies the location service log file.<\/li>\n<\/ul>\n\n\n\nStarting fail2ban<\/h2>\n\n\n\n
systemctl start fail2ban\nsystemctl enable fail2ban<\/pre>\n\n\n\n
iptables<\/code> to block or ban any source IP that may be involved in suspicious authentication attempts.<\/p>\n\n\n\n...<\/strong>\n# Default banning action (e.g. iptables, iptables-new,\n# iptables-multiport, shorewall, etc) It is used to define\n# action_* variables. Can be overridden globally or per\n# section within jail.local file\nbanaction = iptables-multiport<\/strong>\nbanaction_allports = iptables-allports\n...\n<\/strong><\/pre>\n\n\n\n
Check Ban Status<\/h3>\n\n\n\n
fail2ban-server<\/code> is responsible for monitoring log files and issuing ban\/unban commands whereas the fail2ban-client<\/code> reads the configuration files and issue corresponding configuration commands to the server.<\/p>\n\n\n\nfail2ban-client status<\/strong>\nStatus\n|- Number of jail:\t1\n`- Jail list:\tsshd<\/pre>\n\n\n\n
fail2ban-client<\/code> command. For example, to ban a specific IP, run the command;<\/p>\n\n\n\nfail2ban-client set sshd banip 192.168.43.220<\/strong>\n192.168.43.220<\/pre>\n\n\n\n
fail2ban-client status sshd<\/strong>\nStatus for the jail: sshd\n|- Filter\n| |- Currently failed:\t0\n| |- Total failed:\t1\n| `- File list:\t\/var\/log\/auth.log\n`- Actions\n |- Currently banned:\t1\n |- Total banned:\t1\n `- Banned IP list:\t192.168.43.220<\/pre>\n\n\n\n
fail2ban-client set sshd unbanip 192.168.43.220<\/pre>\n\n\n\n
Test SSH Banning<\/h3>\n\n\n\n
fail2ban-client status sshd\nStatus for the jail: sshd\n|- Filter\n| |- Currently failed:\t1\n| |- Total failed:\t7<\/strong>\n| `- File list:\t\/var\/log\/auth.log\n`- Actions\n |- Currently banned:\t1\n |- Total banned:\t2\n `- Banned IP list:\t192.168.43.69<\/strong><\/pre>\n\n\n\n
tail -f \/var\/log\/fail2ban.log<\/strong>\n2018-11-30 00:04:21,048 fail2ban.filter [4125]: INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:00:25\n2018-11-30 00:04:21,048 fail2ban.filter [4125]: INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:00:27\n2018-11-30 00:04:21,049 fail2ban.filter [4125]: INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:21\n2018-11-30 00:04:21,050 fail2ban.filter [4125]: INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:26\n2018-11-30 00:04:21,050 fail2ban.filter [4125]: INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:29\n2018-11-30 00:04:21,051 fail2ban.filter [4125]: INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:38\n2018-11-30 00:04:21,052 fail2ban.filter [4125]: INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:40\n2018-11-30 00:04:21,358 fail2ban.actions [4125]: NOTICE [ssh] Ban 192.168.43.69<\/pre>\n\n\n\n
ssh amos@192.168.43.154\nssh: connect to host 192.168.43.154 port 22: Connection refused<\/pre>\n\n\n\n
Other Tutorials<\/h3>\n\n\n\n