How to Use fail2ban to defend against brute force cracking attacks on SSH servers (1)

Source: Internet
Author: User

How to Use fail2ban to defend against brute force cracking attacks on SSH servers (1)

A common attack on the SSH service is a brute-force cracking attack-remote attackers use different passwords to perform unlimited logon attempts. Of course, SSH can be set to use a non-password verification method to defend against such attacks, such as public key verification or double verification. Put the advantages and disadvantages of different verification methods aside first. What if we must use password verification? How do you protect your SSH server from brute force cracking attacks?

Fail2ban is a well-known open-source framework for intrusion protection on Linux. It monitors log files of multiple systems, such as/var/log/auth. log or/var/log/secure) and automatically triggers different defense actions based on any suspicious behavior detected. In fact, fail2ban is very useful in defending against brute force password cracking on SSH servers.

In this tutorial, I will demonstrateHow to install and configure fail2ban to protect the SSH server against brute force attacks from remote IP addresses.

Install Fail2ban on linux

To install fail2ban on CentOS or RHEL, first set the EPEL repository and run the following command.

 
 
  1. $ sudo yum install fail2ban

Install fail2ban on Fedora and run the following command:

 
 
  1. $ sudo yum install fail2ban

Install fail2ban on ubuntu, Debian, or Linux Mint:

 
 
  1. $ sudo apt-get install fail2ban

Configure Fail2ban for the SSH server

Now you have prepared to enhance your SSH server by configuring fail2ban. You need to edit the configuration file/etc/fail2ban/jail. conf. In the "[DEFAULT]" Area of the configuration file, you can define the DEFAULT parameters for all monitored services. In addition, in the configuration section of a specific service, you can set the DEFAULT parameters for each service, such as SSH, apache) to overwrite the default parameter configuration.

You need to define a [ssh-iptables] area in the [DEFAULT] area of the prison area for the service. This area defines SSH-related prison configurations. You can use iptables to Disable IP addresses.

The following is an example of a file containing the "ssh-iptables" Prison configuration/etc/fail2ban/jail. conf. Of course, you can also specify other application prisons based on your needs.

 
 
  1. $ sudo vi /etc/fail2ban/jail.local
 
 
  1. [DEFAULT]
  2. # List separated by spaces, which can be an IP address, a CIDR prefix, or a DNS host name
  3. # Used to specify which addresses can ignore fail2ban defense
  4. Ignoreip = 127.0.0.1 172.31.0.0/24 10.10.0.0/24 192.168.0.0/24
  5.  
  6. # The duration of the client host being disabled in seconds)
  7. Banktime = 86400
  8.  
  9. # Number of failures allowed before the client host is disabled
  10. Maxretry = 5
  11.  
  12. # The time (in seconds) for finding the number of failures)
  13. Findtime= 600
  14.  
  15. Mta = sendmail
  16.  
  17. [Ssh-iptables]
  18. Enabled = true
  19. Filter = sshd
  20. Action = iptables [name = SSH, port = ssh, protocol = tcp]
  21. Sendmail-whois [name = SSH, dest = your@email.com, sender = fail2ban@email.com]
  22. # Debian release
  23. Logpath =/var/log/auth. log
  24. # Red Hat releases
  25. Logpath =/var/log/secure
  26. # Maximum number of ssh service attempts
  27. Maxretry = 3

According to the above configuration, fail2ban will automatically prohibit any IP address that has failed to access more than three attempts in the last 10 minutes. Once banned, this IP address will be banned from accessing the SSH service within 24 hours. This event will also send an email notification via sendemail.

Once the configuration file is ready, restart the fail2ban service as follows.

In Debian, Ubuntu or CentOS/RHEL 6:

 
 
  1. $ sudo service fail2ban restart

In Fedora or CentOS/RHEL 7:

 
 
  1. $ sudo systemctl restart fail2ban

To verify that fail2ban runs successfully, run the fail2ban-client command with the 'ping' parameter. If the fail2ban service runs normally, you can see "pong finished)" as a response.

 
 
  1. $ sudo fail2ban-client ping
  2. Server replied: pong

Test fail2ban to protect SSH against brute force cracking attacks

To test whether fail2ban works properly, try to use the wrong password to connect to the server over SSH to simulate a brute force cracking attack. At the same time, monitoring/var/log/fail2ban. log records any sensitive events that occur in fail2ban.

 
 
  1. $ sudo tail -f /var/log/fail2ban.log

According to the preceding log file, Fail2ban blocks an IP address 192.168.1.8 by detecting multiple failed logon attempts from the IP address.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.