The tool fail2ban , written in Python, aims to secure server services against DoS attacks. It checks log files for predefined patterns and temporarily blocks the corresponding IP addresses if the failed access is repeated. This article shows you how to back up a Debian-based server with fail2ban. The deployed version of fail2ban is 0.9.6-2 under Debian 9.1 .

Problem

In the log file “/var/log/auth.log”, several failed login attempts occur with the protocol SSH, which are not from you.

Feb 19 09:21:15 servername sshd [22796]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 218.207.xx.xx user = root
Feb 19 09:21:17 servername sshd [22796]: Failed password for root from 218.207.xx.xx port 22 ssh2

Statement

  • The remote user has (inadvertently) used an incorrect server IP and is trying to log in to your server. The number of login attempts is usually low.
  • You are the victim of a brute force attack, where a login with user root and various passwords (eg from so-called dictionary files) are tried automatically. The number of login attempts is recognizable here.

Solution

Secure your SSH login using the fail2ban tool, prohibit direct root login, or log in using public key methods only .

What is Fail2Ban

Fail2Ban is a program written in Python, which can protect various server services against unauthorized access. In the configuration example below, an IP address is blocked for 1 hour after this 4 failed SSH attempts have occurred.

Installation of Fail2Ban

sudo apt install fail2ban

Configuration Fail2Ban

In the / etc / fail2ban / folder you find the global configuration file jail.conf . This does not work, however, since it is overwritten with every package update. The configuration is done in the “jail.local”.

DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local>

To do this, copy the “jail.conf” to “jail.local”.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Check the settings for the local IP address of your server. The time for an IP to be blocked is increased to one hour in our example and the number of attempts to be blocked is reduced to 3. This configuration is to be made in the following section of jail.local :

[...]
[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and / or comma) separator.
ignoreip = 127.0.0.1/8

# External command that willtake to tagged arguments to ignore, eg <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = / path / to / command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[...]

You can then customize the parameters separately for individual services (as in the SSH Daemon article).

In the configuration file jail.conf, in the section on the SSH daemon, add the necessary parameters to monitor it by fail2ban:

[...]
#
# SSH servers
#

[Sshd]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
[...]

Then restart fail2ban for the changes to be applied.

sudo systemctl restart fail2ban.service

Categories: Tutorials

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: