{"id":1149,"date":"2017-10-22T12:19:19","date_gmt":"2017-10-22T09:19:19","guid":{"rendered":"https:\/\/community.virtono.com\/?p=1149"},"modified":"2020-06-10T16:47:14","modified_gmt":"2020-06-10T13:47:14","slug":"ssh-login-under-debian-with-fail2ban","status":"publish","type":"post","link":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/","title":{"rendered":"SSH Login under Debian with fail2ban"},"content":{"rendered":"<p>The tool\u00a0<b>fail2ban<\/b>\u00a0,\u00a0written in Python,\u00a0aims to secure server services against DoS attacks.\u00a0It checks log files for predefined patterns and temporarily blocks the corresponding IP addresses if the failed access is repeated.\u00a0This article shows you how to back up a Debian-based server with fail2ban.\u00a0The deployed version of fail2ban is\u00a0<b>0.9.6-2<\/b>\u00a0under\u00a0<b>Debian 9.1<\/b>\u00a0.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_73 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/#Problem\" title=\"Problem\">Problem<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/#Statement\" title=\"Statement\">Statement<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/#Solution\" title=\"Solution\">Solution<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/#What_is_Fail2Ban\" title=\"What is Fail2Ban\">What is Fail2Ban<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/#Installation_of_Fail2Ban\" title=\"Installation of Fail2Ban\">Installation of Fail2Ban<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-login-under-debian-with-fail2ban\/#Configuration_Fail2Ban\" title=\"Configuration Fail2Ban\">Configuration Fail2Ban<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Problem\"><\/span><span id=\"Problem\" class=\"mw-headline\">Problem<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In the log file &#8220;\/var\/log\/auth.log&#8221;, several failed login attempts occur with the protocol SSH, which are not from you.<\/p>\n<pre>Feb 19 09:21:15 servername sshd [22796]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 218.207.xx.xx user = root\r\nFeb 19 09:21:17 servername sshd [22796]: Failed password for root from 218.207.xx.xx port 22 ssh2\r\n<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Statement\"><\/span><span id=\"Erkl.C3.A4rung\" class=\"mw-headline\">Statement<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>The remote user has (inadvertently) used an incorrect server IP and is trying to log in to your server.\u00a0The number of login attempts is usually low.<\/li>\n<li>You are the victim of a brute force attack, where a login with user root and various passwords (eg from so-called dictionary files) are tried automatically.\u00a0The number of login attempts is recognizable here.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Solution\"><\/span><span id=\"L.C3.B6sung\" class=\"mw-headline\">Solution<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Secure your SSH login using the fail2ban tool,\u00a0prohibit direct root login,\u00a0or log in using\u00a0public key methods\u00a0only\u00a0.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_is_Fail2Ban\"><\/span><span id=\"Was_ist_Fail2Ban\" class=\"mw-headline\">What is Fail2Ban<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Fail2Ban is a program written in Python, which can protect various server services against unauthorized access.\u00a0In the configuration example below, an IP address is blocked for 1 hour after this 4 failed SSH attempts have occurred.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Installation_of_Fail2Ban\"><\/span><span id=\"Installation_von_Fail2Ban\" class=\"mw-headline\">Installation of Fail2Ban<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\">\n<pre>sudo apt install fail2ban\r\n<\/pre>\n<\/div>\n<h2><span class=\"ez-toc-section\" id=\"Configuration_Fail2Ban\"><\/span><span id=\"Konfiguration_Fail2Ban\" class=\"mw-headline\">Configuration Fail2Ban<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In the\u00a0<i>\/ etc \/ fail2ban \/<\/i>\u00a0folder\u00a0you find the global configuration file\u00a0<i>jail.conf<\/i>\u00a0.\u00a0This does not work, however, since it is overwritten with every package update.\u00a0The configuration is done in the &#8220;jail.local&#8221;.<\/p>\n<pre>DO NOT MODIFY THIS FILE\r\n# and rather provide your changes in \/etc\/fail2ban\/jail.local&gt;\r\n<\/pre>\n<p>To do this, copy the &#8220;jail.conf&#8221; to &#8220;jail.local&#8221;.<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\">\n<pre>sudo cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local\r\n<\/pre>\n<\/div>\n<p>Check the settings for the local IP address of your server.\u00a0The time for an IP to be blocked is increased to one hour in our example and the number of attempts to be blocked is reduced to 3.\u00a0This configuration is to be made in the following section of\u00a0<i>jail.local<\/i>\u00a0:<\/p>\n<pre>[...]\r\n[DEFAULT]\r\n\r\n#\r\n# MISCELLANEOUS OPTIONS\r\n#\r\n\r\n# \"ignoreip\" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not\r\n# ban a host which matches an address in this list. Several addresses can be\r\n# defined using space (and \/ or comma) separator.\r\nignoreip = 127.0.0.1\/8\r\n\r\n# External command that willtake to tagged arguments to ignore, eg &lt;ip&gt;,\r\n# and return true if the IP is to be ignored. False otherwise.\r\n#\r\n# ignorecommand = \/ path \/ to \/ command &lt;ip&gt;\r\nignorecommand =\r\n\r\n# \"bantime\" is the number of seconds that a host is banned.\r\nbantime = 3600\r\n\r\n# A host is banned if it has generated \"maxretry\" during the last \"findtime\"\r\n# seconds.\r\nfindtime = 600\r\n\r\n# \"maxretry\" is the number of failures before a host get banned.\r\nmaxretry = 3\r\n[...]\r\n<\/pre>\n<p>You can then customize the parameters separately for individual services (as in the SSH Daemon article).<\/p>\n<p>In the configuration file\u00a0<i>jail.conf,<\/i>\u00a0in the section on the SSH daemon,\u00a0<i>add<\/i>\u00a0the necessary parameters to monitor it by fail2ban:<\/p>\n<pre>[...]\r\n#\r\n# SSH servers\r\n#\r\n\r\n[Sshd]\r\n\r\nenabled = true\r\nport = ssh\r\nfilter = sshd\r\nlogpath = \/var\/log\/auth.log\r\nmaxretry = 4\r\n[...]\r\n<\/pre>\n<p>Then restart fail2ban for the changes to be applied.<\/p>\n<p><code>sudo systemctl restart fail2ban.service<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The tool\u00a0fail2ban\u00a0,\u00a0written in Python,\u00a0aims to secure server services against DoS attacks.\u00a0It checks log files for predefined patterns and temporarily blocks the corresponding IP addresses if the failed access is repeated.\u00a0This article shows you how to back up a Debian-based server with fail2ban.\u00a0The deployed version of fail2ban is\u00a00.9.6-2\u00a0under\u00a0Debian 9.1\u00a0. Problem In<\/p>\n","protected":false},"author":4,"featured_media":1150,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[3],"tags":[],"class_list":["post-1149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorial-how-to"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/fail2ban-logo2.png?fit=459%2C441&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-ix","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1156,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/ssh-root-forbid-login-under-debian\/","url_meta":{"origin":1149,"position":0},"title":"SSH root forbid login under Debian","author":"Shreyash Sharma","date":"October 23, 2017","format":false,"excerpt":"If you want to ban direct SSH root login on Debian, you need at least one additional user who can log on to the server, in addition to the root user.\u00a0Use this user to change to the root account. ATTENTION:\u00a0If you have not created another user, you lock yourself out\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/ssh_installer_2.jpg?fit=638%2C478&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/ssh_installer_2.jpg?fit=638%2C478&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/ssh_installer_2.jpg?fit=638%2C478&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":542,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/542\/","url_meta":{"origin":1149,"position":1},"title":"HOW TO INSTALL AND SET UP FAIL2BAN ON CENTOS SERVER","author":"Daniel Draga","date":"August 26, 2016","format":false,"excerpt":"Fail2ban software is an intrusion prevention framework on your CentOS 7 (and 6) vps that scans log files and bans IPs that show the malicious signs so you can protect your server from brute-force attacks. Some previously posted some including to change default SSH port and to disable root login\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/fail2ban.jpg?fit=784%2C313&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/fail2ban.jpg?fit=784%2C313&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/fail2ban.jpg?fit=784%2C313&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/fail2ban.jpg?fit=784%2C313&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":3595,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/how-to-protect-your-server-against-brute-force-attacks\/","url_meta":{"origin":1149,"position":2},"title":"How to Protect Your Server Against Brute Force Attacks","author":"George B.","date":"June 23, 2023","format":false,"excerpt":"Introduction Brute force attacks are one of the most common threats that server administrators face. This guide is designed to provide you with the knowledge and strategies you need to protect your server from brute force attacks. What is a Server Brute Force Attack A server brute force attack is\u2026","rel":"","context":"In &quot;Knowledgebase&quot;","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-Protect-Your-Server-Against-Brute-Force-Attacks.png?fit=600%2C330&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-Protect-Your-Server-Against-Brute-Force-Attacks.png?fit=600%2C330&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-Protect-Your-Server-Against-Brute-Force-Attacks.png?fit=600%2C330&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":3487,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-install-and-configure-fail2ban-on-centos\/","url_meta":{"origin":1149,"position":3},"title":"How to Install and Configure fail2ban on CentOS","author":"George B.","date":"June 10, 2023","format":false,"excerpt":"We'll walk you through the step-by-step process of installing and configuring fail2ban on CentOS. By the end, you'll have a robust defense mechanism in place to protect your server from unauthorized access attempts. In today's interconnected world, security is of utmost importance, especially for servers and systems that are constantly\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-Install-and-Configure-fail2ban-on-CentOS.png?fit=600%2C330&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-Install-and-Configure-fail2ban-on-CentOS.png?fit=600%2C330&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-Install-and-Configure-fail2ban-on-CentOS.png?fit=600%2C330&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":3176,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-change-ssh-port-on-linux-or-unix\/","url_meta":{"origin":1149,"position":4},"title":"How to Change SSH Port on Linux or Unix","author":"George B.","date":"April 6, 2023","format":false,"excerpt":"By default, SSH listens on port 22, if you want to change SSH port to a non-standard port can help enhance server security by making it harder for attackers to find and exploit SSH vulnerabilities. In this article, we will walk through the process of changing the SSH port on\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Change-SSH-Port-on-Linux-or-Unix.png?fit=600%2C340&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Change-SSH-Port-on-Linux-or-Unix.png?fit=600%2C340&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Change-SSH-Port-on-Linux-or-Unix.png?fit=600%2C340&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":497,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-change-the-ssh-port-for-your-linux-based-server\/","url_meta":{"origin":1149,"position":5},"title":"How to Change the SSH Port for Your Linux Based Server","author":"Daniel Draga","date":"August 20, 2016","format":false,"excerpt":"Logging in, you might have noticed this, sometimes: \u00a0 You will notice that whenever you leave ssh on the standard port, attempted logins fill up your authorization logs. Changing to a different port will make it less frequent.This is because the vast majority of people hunting for any open ssh\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/Change-SSH-port-with-WHM-min.jpg?fit=800%2C450&ssl=1&resize=700%2C400 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=1149"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1149\/revisions"}],"predecessor-version":[{"id":1151,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1149\/revisions\/1151"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/1150"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=1149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=1149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=1149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}