One common attack on ssh service is brute force attacks where a remote attacker indefinitely attempts to log in with different passwords. Fail2ban is an open-source intrusion prevention framework on Linux that monitors various system log files (e.g., /var/log/auth.log) and triggers various defensive actions upon detecting any suspicious activities. You can use fail2ban to defend against brute force password guessing attacks on ssh server.
In this guide, I will demonstrate how to install and configure fail2ban to protect ssh server against brute force attacks from a remote IP address.
Install Fail2ban on Linux
To install fail2ban on CentOS or RHEL, first set up EPEL repository, and then run the following command.
To install fail2ban on Fedora, simply run:
To install fail2ban on Ubuntu, Debian or Linux Mint:
Configure Fail2ban on Linux
Now you are ready to configure fail2ban to harden your ssh server. You need to create the following configuration file. The configuration file contains "DEFAULT" section where you define default parameters for all monitored services, and service-specific sections where you define any service-specific (in this case ssh-related) parameters or overwrite default parameters.
[DEFAULT] # a space delimited list of IP addresses, CIDR prefixes, or DNS hostnames # to bypass fail2ban protection ignoreip = 127.0.0.1 172.31.0.0/24 10.10.0.0/24 192.168.0.0/24 # number of seconds during which a client host is blocked bantime = 86400 # number of failures before a client host is blocked maxretry = 5 # number of seconds within which "maxentry" failures result in banning findtime = 600 mta = sendmail [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, firstname.lastname@example.org, email@example.com] logpath = /var/log/auth.log # ssh-specific max-retry threshold maxretry = 5 logpath=/var/log/secure
According to the above configuration, fail2ban will automatically ban any remote IP address from which there have been at least 5 failed login attempts within the last 10 minutes. Once banned, the offending IP address will remain blocked for 24 hours. Such an event will be notified by sendemail to a recipient email address.
Once the configuration file is ready, start fail2ban service as follows.
To verify fail2ban is running successfully, run fail2ban-client command with "ping" argument. If fail2ban service is running okay, you should see "pong" as a response.
Server replied: pong
A log file called /var/log/messages demonstrates fail2ban in action.
Feb 23 01:13:55 my-host fail2ban.server : INFO Changed logging target to SYSLOG for Fail2ban v0.8.8 Feb 23 01:13:55 my-host fail2ban.jail : INFO Creating new jail 'ssh-iptables' Feb 23 01:13:55 my-host fail2ban.jail : INFO Jail 'ssh-iptables' uses pyinotify Feb 23 01:13:55 my-host fail2ban.jail : INFO Initiated 'pyinotify' backend Feb 23 01:13:55 my-host fail2ban.filter : INFO Added logfile = /var/log/secure Feb 23 01:13:55 my-host fail2ban.filter : INFO Set maxRetry = 5 Feb 23 01:13:55 my-host fail2ban.filter : INFO Set findtime = 600 Feb 23 01:13:55 my-host fail2ban.actions: INFO Set banTime = 86400 Feb 23 01:13:56 my-host fail2ban.jail : INFO Jail 'ssh-iptables' started Feb 23 01:14:27 my-host fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.3
According to the log file above, fail2ban has banned an IP address 192.168.1.3, upon detecting multiple failed ssh login attempts from the IP address. You can verify the ban by checking current iptables rules.
Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- 192.168.1.3 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
If you want to unblock the IP address from fail2ban, run the following command.
Note that fail2ban itself is stateless. So if you restart fail2ban, all blocked IP addresses will be unblocked.
While fail2ban can mitigate brute-force password guessing attacks, it cannot protect ssh servers against sophisticated distributed brute-force campaigns, where an attacker bypasses fail2ban by using many thousands of bot-controlled IP addresses.
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.