The tool fail2ban , written in Python, aims to secure server services against DoS attacks. It checks log files for predefined patterns and temporarily blocks the corresponding IP addresses if the failed access is repeated. This article shows you how to back up a Debian-based server with fail2ban. The deployed version of fail2ban is 0.9.6-2 under Debian 9.1 .
Problem
In the log file “/var/log/auth.log”, several failed login attempts occur with the protocol SSH, which are not from you.
Feb 19 09:21:15 servername sshd [22796]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 218.207.xx.xx user = root Feb 19 09:21:17 servername sshd [22796]: Failed password for root from 218.207.xx.xx port 22 ssh2
Statement
- The remote user has (inadvertently) used an incorrect server IP and is trying to log in to your server. The number of login attempts is usually low.
- You are the victim of a brute force attack, where a login with user root and various passwords (eg from so-called dictionary files) are tried automatically. The number of login attempts is recognizable here.
Solution
Secure your SSH login using the fail2ban tool, prohibit direct root login, or log in using public key methods only .
What is Fail2Ban
Fail2Ban is a program written in Python, which can protect various server services against unauthorized access. In the configuration example below, an IP address is blocked for 1 hour after this 4 failed SSH attempts have occurred.
Installation of Fail2Ban
sudo apt install fail2ban
Configuration Fail2Ban
In the / etc / fail2ban / folder you find the global configuration file jail.conf . This does not work, however, since it is overwritten with every package update. The configuration is done in the “jail.local”.
DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local>
To do this, copy the “jail.conf” to “jail.local”.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Check the settings for the local IP address of your server. The time for an IP to be blocked is increased to one hour in our example and the number of attempts to be blocked is reduced to 3. This configuration is to be made in the following section of jail.local :
[...] [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and / or comma) separator. ignoreip = 127.0.0.1/8 # External command that willtake to tagged arguments to ignore, eg <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = / path / to / command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 [...]
You can then customize the parameters separately for individual services (as in the SSH Daemon article).
In the configuration file jail.conf, in the section on the SSH daemon, add the necessary parameters to monitor it by fail2ban:
[...] # # SSH servers # [Sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4 [...]
Then restart fail2ban for the changes to be applied.
sudo systemctl restart fail2ban.service
0 Comments