If you are experiencing a brute-force ssh attack (people or robots trying different combinations of username and password to log into remote servers), you probably want to implement a fail2ban strategy to prevent them to keep trying.
\nBefore writing about fail2ban, if you are using AWS, I will highly suggest checking your Network ACLs. If possible, whitelist the IPs that can use the ssh port in your server. Sadly we have dynamic IP’s here in Argentina and it’s going to be really tedious to go and whitelist my IP every time it changes, especially when you could need to access multiple servers a day.
\nI won’t go too deep on all that you can do with this software, but if you are interested in read more about it in their github wiki
\nWe will use it for blocking IPs to keep trying to access via ssh after N number of attempts.
\nFirst you need to install the package, my server uses ubuntu so we run:
\nsudo apt-get install fail2banNow to configure you need to create a jail.local file in the folder at /etc/fail2ban/. You can read the default configuration from /etc/fail2ban/jail.conf. Let’s create that file:
sudo touch /etc/fail2ban/jail.localSince we are only going to use the ssh module, we just need these lines in the file:
\n[sshd]\nmaxretry = 5\nbantime=10800Feel free to change those values as it better fits your usage.
\nNow we just need to restart the fail2ban service and we are ready to go:
\nsudo systemctl restart fail2ban.serviceNow your server will reject connections via ssh if they fail to access more than 5 times in a row. Great!
\nIf you want to check the status of fail2ban, check how many fail attempts happened and how many IPs are banned at some point in time you can run fail2ban-client status sshd and it will display something like this:
Status for the jail: sshd\\\n|- Filter\\\n| |- Currently failed:\t1\\\n| |- Total failed:\t75\\\n| `- File list:\t/var/log/auth.log\\\n`- Actions\\\n|- Currently banned:\t2\\\n|- Total banned:\t6\\\n`- Banned IP list:\t161.35.80.11 186.159.10.210fail2ban adds rules in iptables program from your linux distro. I had issues while trying to execute iptables —list, to check how those rules where applied after configuring fail2ban in one of my staging servers:
\nmodprobe: ERROR: could not insert 'ip_tables': Cannot allocate memoryiptables v1.4.21: can't initialize iptables table `filter':\nTable does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.In a previous post I commented about linux images taking too much space in your inodes disk space (df -i returning 99%+ in /dev/xvda1). The solution, if applied incorrectly like I did, may corrupt the execution of iptables commands. In short, try to don’t delete the image that you are currently using. To check which version to keep check the output of uname -r in your server terminal.
\n
\nThankfully, we can easily re-install that linux image by using that output too:
\nsudo apt-get install linux-image-$(uname -r)
That should reinstall the iptables program. I read that some people needed to run sudo apt-get full-upgrade and then reinstall the linux image.