Protecting SSH with Fail2Ban
As discussed in a previous post, SSH is a protocol used to securely log onto remote systems. It is the most common way to access remote Linux and UNIX servers. User management is an important part of any IT policy. Knowing who is logging in on certain systems can help an organization get to the bottom of any issue and if information has been leaked, this could be crucial to prosecution. As part of an organizations Situational Awareness plan, it is also worth installing software such as Fail2Ban which is an intrusion prevention software. Should you face a brute-force attack via SSH, it is worth being protected. Fail2Ban was originally developed by Cyril Jaquier and is written in the language Python. It is worth noting, that at this current time (26/3/2016) Fail2Ban is not recommended against the following attacks:
- Distributed brute-force attacks
- There is no IPv6 support (I recommend using sshguard if you need IPv6 Support)
- There is no interaction with application-specific APIs/AGIs.
- Linux/Unix environment (PC, Raspberry Pi, Laptop or Server)
- Python Version 2.6 or higher
Open up a terminal on your Debian machine and use apt-get:
sudo apt-get install fail2ban
Fail2Ban will be installed in /etc/fail2ban. You will find the configuration jail.conf file in this folder. If you need to make changes, you will need to make a local copy of the file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Configuration of Fail2Ban
We will now make all necessary changes in the jail.local file. Your file will look like this:
The ssh-iptables section is the part that is responsible for the monitoring the SSH connection and blocking the SSH login failures. This aspect is important as if a user tries to access a host via SSH unsuccessfully 3x they will be automatically banned for a small amount of time. Continuous attempts will result in an IP ban. This however can be a pain if you genuinely forget your password, but look at it in the sense that, with your ATM bank card, if you get the wrong password 3x, you lose your card.
The ssh-iptables section looks like this:
enabled = true (Activate this to ensure monitoring of SSH Login attempts is enabled)
logpath - (This is where the logs are located)
maxretry - (Maxretry is where you set how many attempts a user should try before being banned. I recommend keeping it as low as 3)
Start it up!
To start it up:
sudo service fail2ban start
For more information: