Using fail2ban With ssh

In a previous post I said that had I set up ssh differently, I would have used fail2ban. Because it is such a featureful application, I want to walk through installing and lightly configuring fail2ban on a Debian box.

fail2ban is an application that monitors your logs and responds to any specified criteria by adding rules to your firewall. In this instance, I'm going to add the fail2ban package to help in securing my ssh service.

After installing, I'm going to make a local configuration file for fail2ban to use.

root@twentymachines.net:/etc/fail2ban# cp jail.conf jail.local

It's pretty intense looking through jail.conf and seeing all of the other services I could monitor with this tool! I'm going to clear the majority of /etc/fail2ban/jail.local to focus on sshd, but before I do I'm just going to lay out some default behavior-

[INCLUDES]

before = paths-debian.conf

[DEFAULT] # default behavior

# the following addressed will not be banned
ignoreip = 127.0.0.1/8

In the DEFAULT block, I want to make sure localhost is never banned. Note that if I want to manually add other ips to a whitelist, I can do so using fail2ban-client-

root@twentymachines.net:/# fail2ban-client set JAIL addignoreip 12.345.678

Now to configure how fail2ban will monitor/respond to sshd-

[sshd] # the actual jails

# even though sshd is enabled by default
enabled = true

# name of service is fine if using the default port
port = ssh

# name of the filter located in /etc/fail2ban/filter.d
filter = sshd

# location of the service’s logs
logpath  = /var/log/auth.log

# number of seconds a host is banned
bantime = 600

# frame of time when the maximum number of failed login attempts occur
findtime = 600

# maximum number of failed login attempts before a host in banned
maxretry = 4

After saving the changes to /etc/fail2ban/jail.local I'm going to restart the fail2ban service and check my firewall rules-

root@twentymachines.net:/# service fail2ban restart
root@twentymachines.net:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             tcp dpt:rsh-spx

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

And we can see that fail2ban has been added as a rule. In testing, if someone were to make four failed login attempts in a single ten-minute time frame then their ip address should be added to my firewall. Let's test that-

kieran@thinkpad:/# ssh twentymachines.net
kieran@twentymachines.net's password:
Permission denied, please try again.
kieran@twentymachines.net's password:
Permission denied, please try again.
kieran@twentymachines.net's password:
Permission denied, please try again.
kieran@twentymachines.net's password:
Permission denied, please try again.
...

And the terminal hangs. Checking my firewall rules-

root@twentymachines.net:/# iptables -L | grep f2b-sshd
Chain f2b-sshd (1 references)
target     prot opt source               destination
DROP       all  --  10.100.0.3           anywhere
RETURN     all  --  anywhere             anywhere

Great! Any connection coming from the ip address associated with my Thinkpad will be dropped, which is the expected behavior.

And that sums up a quick install and demo of fail2ban. When used with ssh, I think this tool is most useful for protecting against automated bruteforce attacks. Thanks for reading!


Tags: [System Administration] [Linux] [fail2ban]

Category: [Blog]