How to Use fail2ban to defend against brute force cracking attacks on SSH servers
A common attack on the SSH service is a brute-force cracking attack-remote attackers use different passwords to perform unlimited logon attempts. Of course, SSH can be set to use a non-password verification method to defend against such attacks, such as public key verification or double verification. Put the advantages and disadvantages of different verification methods aside first. What if we must use password verification? How do you protect your SSH server from brute force cracking attacks?
Fail2ban is a well-known open-source framework for intrusion protection on Linux. It monitors log files of multiple systems (for example,/var/log/auth. log or/var/log/secure) and automatically triggers different defense actions based on any suspicious behavior detected. In fact, fail2ban is very useful in defending against brute force password cracking on SSH servers.
In this tutorial, I will demonstrate how to install and configure fail2ban to protect the SSH server to avoid brute force attacks from remote IP addresses.
Install Fail2ban on linux
To install fail2ban on CentOS or RHEL, first set the EPEL repository and run the following command.
- $ Sudo yum install fail2ban
Install fail2ban on Fedora and run the following command:
- $ Sudo yum install fail2ban
Install fail2ban on Ubuntu, Debian, or Linux Mint:
- $ Sudo apt-get install fail2ban
Configure Fail2ban for the SSH server
Now you have prepared to enhance your SSH server by configuring fail2ban. You need to edit the configuration file/etc/fail2ban/jail. conf. In the "[DEFAULT]" Area of the configuration file, you can define the DEFAULT parameters for all monitored services. In addition, in the configuration section of a specific service, you can set specific configurations for each service (such as SSH and Apache) to overwrite the default parameter configurations.
In the prison area for the Service (after the [DEFAULT] area), you need to define a [ssh-iptables] area, which is used to define SSH-related prison configurations. You can use iptables to Disable IP addresses.
The following is an example of a file containing the "ssh-iptables" Prison configuration/etc/fail2ban/jail. conf. Of course, you can also specify other application prisons based on your needs.
- $ Sudo vi/etc/fail2ban/jail. local
- [DEFAULT]
- # List separated by spaces, which can be an IP address, a CIDR prefix, or a DNS host name
- # Used to specify which addresses can ignore fail2ban defense
- Ignoreip = 127.0.0.1172.31.0.0/2410.10.0.0/24192.168.0.0/24
-
- # Duration in seconds when the client host is disabled)
- Banktime = 86400
-
- # Number of failures allowed before the client host is disabled
- Maxretry = 5
-
- # Length of the failed search times (in seconds)
- Findtime= 600
-
- Mta = sendmail
-
- [Ssh-iptables]
- Enabled = true
- Filter = sshd
- Action = iptables [name = SSH, port = ssh, protocol = tcp]
- Sendmail-whois [name = SSH, dest = your@email.com, sender = fail2ban@email.com]
- # Debian release
- Logpath =/var/log/auth. log
- # Red Hat releases
- Logpath =/var/log/secure
- # Maximum number of ssh service attempts
- Maxretry = 3
According to the above configuration, fail2ban will automatically prohibit any IP address that has failed to access more than three attempts in the last 10 minutes. Once banned, this IP address will be banned from accessing the SSH service within 24 hours. This event will also send an email notification via sendemail.
Once the configuration file is ready, restart the fail2ban service as follows.
In Debian, Ubuntu or CentOS/RHEL 6:
- $ Sudo service fail2ban restart
In Fedora or CentOS/RHEL 7:
- $ Sudo systemctl restart fail2ban
To verify that fail2ban runs successfully, run the fail2ban-client command with the 'ping' parameter. If the fail2ban service runs normally, you can see "pong (timeout)" as a response.
- $ Su do fail2ban-client ping
- Server replied: pong
Test fail2ban to protect SSH against brute force cracking attacks
To test whether fail2ban works properly, try to use the wrong password to connect to the server over SSH to simulate a brute force cracking attack. At the same time, monitoring/var/log/fail2ban. log records any sensitive events that occur in fail2ban.
- $ Sudo tail-f/var/log/fail2ban. log
According to the preceding log file, Fail2ban blocks an IP address 192.168.1.8 by detecting multiple failed logon attempts from the IP address.
Check the fail2ban status and disable the locked IP Address
Because fail2ban's "ssh-iptables" prison uses iptables to block the problematic IP address, you can check the current iptables to verify the prohibition rules in the following ways.
- $ Sudo iptables -- list-n
- Chain INPUT (policy ACCEPT)
- Target prot opt source destination
- Fail2ban-SSH tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt: 22
-
- Chain FORWARD (policy ACCEPT)
- Target prot opt source destination
-
- Chain OUTPUT (policy ACCEPT)
- Target prot opt source destination
-
- Chain fail2ban-SSH (1 references)
- Target prot opt source destination
- DROP all -- 192.168.1.80.0.0.0/0
- RETURN all -- 0.0.0.0/00.0.0.0/0
If you want to unlock an IP address from fail2ban, you can use the iptables command:
- $ Sudo iptables-D fail2ban-SSH-s 192.168.1.8-j DROP
Of course you can use the iptables command above to manually check and manage the fail2ban IP blocking list, but there is actually an appropriate way to use the fail2ban-client command line tool. This command not only allows you to manage the "ssh-iptables" prison, but also a standard command line interface that can manage other types of fail2ban prisons.
To check the status of fail2ban (the list of prisons for the current activity is displayed ):
- $ Sudo fail2ban-client status
To verify the status of a specific prison (such as ssh-iptables ):
- $ Sudo fail2ban-client status ssh-iptables
The command above shows the list of IP addresses that are forbidden.
To unlock a specific IP Address:
- $ Sudo fail2ban-client set ssh-iptables unbanip 192.168.1.8
Note: If you stop the Fail2ban service, all IP addresses will be unlocked. When you restart Fail2ban, it will start from/etc/log/secure (or/var/log/auth. the list of abnormal IP addresses is found. If the occurrence time of these abnormal addresses is still within the prohibited time, Fail2ban will disable these IP addresses again.
Set Fail2ban to start automatically
Once you have successfully tested fail2ban, The last step is to enable it to automatically start when it is started on your server. In Debian-based releases, fail2ban has enabled automatic start by default. In the Red-Hat-based release, make the automatic start take effect as follows.
In CentOS/RHEL 6:
- $ Sudo chkconfig fail2ban on
In Fedora or CentOS/RHEL 7:
- $ Sudo systemctl enable fail2ban
Summary
In this tutorial, I demonstrate how to install and configure fail2ban to protect an SSH server. Of course, fail2ban can mitigate brute-force password attacks, but note that this does not protect the SSH server from complicated distributed brute-force cracking organizations, these attackers bypass the fail2ban defense mechanism by using IP addresses controlled by thousands of machines.
Detailed tutorial on Using SSH in Linux
How to add dual authentication for SSH in Linux
Configure the SFTP environment for non-SSH users in Linux
Configure and manage the SSH service on Linux
Basic SSH tutorial
This article permanently updates the link address: