Published on

How to Prevent SSH Brute Force Attacks with Fail2ban

Authors

I have some Linux Servers that has SSH enabled, and not too long after deploying them, I noticed that I am being attacked via Brute Force method on the SSH service. Sure you can block them on the firewall, but I wanted a way to block the source IP addresses when they fail 3 authentication attempts within a given time and thats where I turned back to good old Fail2Ban.

What is Fail2Ban?

Fail2Ban is a security tool that helps protect your server from brute force atachs and unauthorized access by dynamically banning IP addresses that exhibit suspicious behaviour sych as mutliple failed login attempts.

How does Fail2Ban work?

This will explain how Fail2Ban works:

  1. Fail2Ban continuously monitors logs sych as /var/log/auth.log for predefined patterns of failed login attempts.
  2. When it detects repeated failures (such as failed ssh logins), it matches these against its configured rules called filters.
  3. Once a threshold is exceeded (eg. 3 failed attempts within 10 minutes) fail2ban automatically bans the offending IP address by updating firewal rules using iptables.
  4. Bans are temporary by default and IPs are automatically unbanned after a configured period minimizing the risk of blocking legitimate users.

Install Fail2Ban

If you are using a Debian based Operating System, you can install Fail2Ban using:

sudo apt update
sudo apt install fail2ban -y

Configuring Fail2Ban

Create a copy of the default configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the copied configuration file:

/etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600  # Ban for 1 hour (in seconds)
findtime = 600  # Time window for checking failed attempts (10 minutes)

Enable the systemd unit:

sudo systemctl enable fail2ban

Restart the service so that it loads the latest configuration:

sudo systemctl restart fail2ban

View blocked IP Addresses

At the moment I have a lot of people trying to access ssh:

Jan 24 10:52:57 demo-server sshd[17552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.x.x.182  user=root
Jan 24 10:53:58 demo-shares sshd[17607]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.x.x.253
Jan 24 10:58:53 demo-shares sshd[17919]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.x.x.49

So after giving it a couple of minutes, we can see the status of our SSH Jail:

sudo fail2ban-client status sshd

And we can see Fail2Ban already banned 5 IP Addresses by viewing the status for the sshd jail:

|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	5
   |- Total banned:	5
   `- Banned IP list:	185.x.x.182 185.x.x.49 185.x.x.54 92.x.x.107 92.x.x.253

If you would like to un-ban a IP Address, you can use:

sudo fail2ban-client unban <ip-address>

Thank You

Thanks for reading, if you like my content, feel free to check out my website, and subscribe to my newsletter or follow me at @ruanbekker on Twitter.

Join my Newsletter?
Buy Me A Coffee
Discuss on TwitterView on GitHub