Latest News: Linux shell script to change you ssh port

How to Prevent SSH Brute Force Attacks with Fail2Ban on Debian 7

Tutorial willing 308View(s) 0Comment

Fail2ban is an open-source intrusion prevention system that can be used to prevent brute force attacks and other suspicious malicious attacks. It scans log files (e.g. /var/log/apache/error_log) and bans IP’s that show the malicious signs such as too many password failures, seeking for exploits etc.

Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with pre-configured filters for various services (Apache, curier, SSH etc.).

Install Fail2Ban on Debian 7 ‘Wheezy’

Login as root user and enter the following command to install Fail2Ban:

Backup Fail2Ban Main Configuration File

All configuration files are found under /etc/fail2ban directory. The main configuration file is /etc/fail2ban/jail.conf. Its a good idea to take backup of main config file to avoid merges during upgrades. Take local copy of /etc/fail2ban/jail.conf file as shown below:

Configure Fail2Ban

Open up /etc/fasil2ban/jail.local file in any editor:

You will find a section called [Default]. This section contains the basic set of rules that Fail2Ban will follow. Set the values as per your requirement. Here is my settings:

ignoreip – White list your IP address that you trust to prevent blocking from Fail2Ban. You can add multiple addresses separate by a space character.

bantime – Number of seconds that a host would be banned if it is caught by Fail2Ban. The default time is 600 seconds (10 minutes). You can increase the time if you like.

maxretry – Number of incorrect login attempts before a host is blocked by Fail2Ban.

Service Configuration

By default, Fail2Ban contains set of pre-defined filters for various services. So you don’t need to enter any manual entries in the configuration files. All you need to do is just change the values of enabled to true or false, the respective services are automatically watched by Fail2Ban.

Here is sample output of SSH section in jail.local file. By default, it is enabled and turned on, so you don’t need to change anything:

enabled – This means that the ssh service protection is on. If you want to turn it off, just set to false.

port – SSH service port

filter – It refers to the config file containing the rules that Fail2Ban uses to find matches. By default it is set to sshd that refers to /etc/fail2ban/filter.d/sshd.conf file.

logpath – The log file for failed login attempts.

maxretry – Number of incorrect login attempts before a host is blocked by Fail2Ban.

Once you have changed the configuration, restart Fail2Ban service to save the changes:

You can verify the rules that added by Fail2Ban in iptables using the following command:

Testing Fail2Ban

I have done some failed attempts from my local client to my Debian server to test Fail2Ban. Then I verified the failed login attempts in the /var/log/fail2ban.log file:

Debian 7, 1 nic, internet, bridge, local repo [Running] - Oracle VM VirtualBox_003or

Debian 7, 1 nic, internet, bridge, local repo [Running] - Oracle VM VirtualBox_004

As you seen in the above two outputs, my local IP 192.168.1.100 is banned by Fail2Ban.

Remove Blocked IP Address from Fail2Ban

If you found a blocked IP and want to unblock it, just enter the following command:

And restart Fail2Ban service too:

Now you will be able to SSH login from the blocked host.

 

Source:http://www.unixmen.com/how-to-prevent-ssh-brute-force-attacks-with-fail2ban-on-debian-7/

Please give credit to the original author when you use it elsewhere: VPS List Agent » How to Prevent SSH Brute Force Attacks with Fail2Ban on Debian 7

Login to post a comment!