The internet is full of automated programs that attempt to break into unsecure servers. Because of this, you might have seen hundreds or thousands of failed login attempts in your system’s auth.log or from when you login to your server. Thankfully there is an easy way to put a stop to these brute force attempts. Fail2ban is a piece of software that works with your firewall to stop these attacks in their place. It monitors SSH for failed login attempts and then when the number from a specific IP passes the limit you have set, it blocks the IP in the system firewall.
Ubuntu 14.04 makes it very easy to install fail2ban. There is install package available right in the default repos. To install it simply run:
apt-get update apt-get install fail2ban -y
That is all that is actually required to install the program, but it still must be configured.
Out of the box fail2ban is setup to block failed ssh login attempts only, though it is possible to configure it to block for other applications as well. Those will be talked about in a different guide.
Fail2ban stores its configuration in the
/etc/fail2ban directory. There you will find a file that contains the default configuration called
jail.conf. It is possible that this file may be overwritten if the fail2ban package if ever updated, so it is a good idea for us to copy the configuration file to one that will not change.
To do so run the command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now it is time for us to edit the file’s configuration
Near the top you will find a section labeled as
[DEFAULT]. The settings defined here will be applied to all services that are not specifically overwritten in the service’s own section.
A few common settings to change:
ignoreip = 127.0.0.0/8
This will make it so that any traffic coming locally from the server is not blocked. You can add additional addresses to be ignored by appending them to the end, separated by a space.
findtime = 600 maxtries = 3
These two options define how it will be determined if the person attempting to login is an attacker.
findtime is the amount of time ,in seconds, that is considered a window of time.
maxtries is the number of failed attempts that are allowed within the defined window. In this case, if a person fails to login 3 times within 10 minutes they will be blocked.
bantime = 600
This value defines the amount of time, in seconds, that a client is banned for after failing to login. By default it is set for 10 minutes.
Once you have made the changes to the configuration file that you want, save the file and close it with the buttons:
ctrl+ o and then
ctrl + x.
To enable enable the changes and then start the service run the command:
service fail2ban stop service fail2ban start
There are many more powerful things that can be configured in fail2ban, but the basics in this guide should help secure your server from ssh brute force attacks.
This work is licensed under a Creative Commons Attribution 4.0 International License.