Posted on Sunday March 13, 2016 by Eric Potvin
Any servers with the most basic SSH configuration can be vulnerable to brute force attacks.
Fail2Ban provides a way to automatically detect and protect (virtual) servers from malicious attackers. The program works by scanning log files and reacting to untrusted actions, like failed login attempts.
Fail2Ban can be installed by using the following command:
sudo apt-get install fail2ban
Create a config file
Fail2Ban needs a config file in order to run properly. A default configuration file (
/etc/fail2ban/jail.conf)) file is created. This configuration file is not the one you need. You willneed to create a
.local file in order to setup everything you need.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Updating the config file
The first section covers the basic rules that fail2ban will follow. If you want to update or increase the protection of your Ubuntu server, you can customize the config in each section.
Let's open the file first:
sudo vi /etc/fail2ban/jail.local
Fail2Ban SSH Config
ssh_ddos section can be updated to maximize ssh security.
[ssh] enabled = true port =your port numberorsshfilter = sshd logpath = /var/log/auth.log maxretry = 2 [ssh-ddos] enabled = true port =your port numberorsshfilter = sshd-ddos logpath = /var/log/auth.log maxretry = 2
The filter, set by default to sshd, refers to the config file containing the rules that fail2ban uses to find matches .sshd refers to the
You can get notified when Fail2Ban detect suspicious activity by email, simply edit the following lines:
destemail =MyEmail@MyDomain.comaction = %(action_mwl)s
In order for these changes to take effects, you need to restart the service:
sudo service fail2ban restart
You can check the status with the following command:
sudo fail2ban-client status
You can also check the iptables rules:
sudo iptables -L