Using fail2ban With ssh
Published: Jul 15, 2019
In a previous post I said that had I set up ssh differently, I would have used fail2ban. Because it is such a featureful application, I want to walk through installing and lightly configuring fail2ban on a Debian box.
fail2ban is an application that monitors your logs and responds to any specified criteria by adding rules to your firewall. In this instance, I'm going to add the fail2ban package to help in securing my ssh service.
After installing, I'm going to make a local configuration file for fail2ban to use.
email@example.com:/etc/fail2ban# cp jail.conf jail.local
It's pretty intense looking through jail.conf and seeing all of the other services I could monitor with this tool! I'm going to clear the majority of /etc/fail2ban/jail.local to focus on sshd, but before I do I'm just going to lay out some default behavior-
[INCLUDES] before = paths-debian.conf [DEFAULT] # default behavior # the following addressed will not be banned ignoreip = 127.0.0.1/8
In the DEFAULT block, I want to make sure localhost is never banned. Note that if I want to manually add other ips to a whitelist, I can do so using fail2ban-client-
firstname.lastname@example.org:/# fail2ban-client set JAIL addignoreip 12.345.678
Now to configure how fail2ban will monitor/respond to sshd-
[sshd] # the actual jails # even though sshd is enabled by default enabled = true # name of service is fine if using the default port port = ssh # name of the filter located in /etc/fail2ban/filter.d filter = sshd # location of the service’s logs logpath = /var/log/auth.log # number of seconds a host is banned bantime = 600 # frame of time when the maximum number of failed login attempts occur findtime = 600 # maximum number of failed login attempts before a host in banned maxretry = 4
After saving the changes to /etc/fail2ban/jail.local I'm going to restart the fail2ban service and check my firewall rules-
email@example.com:/# service fail2ban restart firstname.lastname@example.org:/# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- anywhere anywhere tcp dpt:rsh-spx Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- anywhere anywhere
And we can see that fail2ban has been added as a rule. In testing, if someone were to make four failed login attempts in a single ten-minute time frame then their ip address should be added to my firewall. Let's test that-
kieran@thinkpad:/# ssh twentymachines.net email@example.com's password: Permission denied, please try again. firstname.lastname@example.org's password: Permission denied, please try again. email@example.com's password: Permission denied, please try again. firstname.lastname@example.org's password: Permission denied, please try again. ...
And the terminal hangs. Checking my firewall rules-
email@example.com:/# iptables -L | grep f2b-sshd Chain f2b-sshd (1 references) target prot opt source destination DROP all -- 10.100.0.3 anywhere RETURN all -- anywhere anywhere
Great! Any connection coming from the ip address associated with my Thinkpad will be dropped, which is the expected behavior.
And that sums up a quick install and demo of fail2ban. When used with ssh, I think this tool is most useful for protecting against automated bruteforce attacks. Thanks for reading!