If you are administering a Linux server on a publicly accessible IP address then you have no-doubt already noticed your log files filling up with repeated failed login attempts against all common protocols. While it may be possible to protected services to some extent with firewalls, nothing is going to protect you from weak password policies and software vulnerabilities.
There is, however, a great Open Source product that can do away with some of the noise and frustrate the spammers; fail2ban.
You are running a Debian server on a public IP address. Your SSH log shows lots of entries for failed passwords and invalid users emanating from IPs which don’t have any legitimate reason to try and connect.
Sep 20 18:27:50 mail sshd: Failed password for invalid user readonly from 5.xxx.xxx.xxx port 35630 ssh2 Sep 20 18:42:19 mail sshd: Failed password for invalid user 20 from 174.xxx.xxx.xxx port 49678 ssh2 Sep 20 18:43:15 mail sshd: Failed password for invalid user pi from 100.xxx.xxx.xxx port 25949 ssh2 Sep 20 18:44:53 mail sshd: Failed password for invalid user ms from 220.xxx.xxx.xxx port 47294 ssh2 Sep 20 18:46:56 mail sshd: Failed password for root from 174.xxx.xxx.xxx port 40484 ssh2
In this tutorial I shall show how to install and configure fail2ban in order to throttle these attempts.
Filters, Actions, & Jails
Fail2ban scans log files looking for suspicious activity. If such activity is detected then the source IP will be banned from between one and all ports. This is accomplished by a set of filters, actions, and jails.
Filters: A filter is a regex to be matched which will identify suspicious behaviour. A very comprehensive set of filters covering many popular packages are located in
Actions: Actions are a set of rules for steps (actions) to take if a filter identifies suspicious behaviour. An action may use iptables to deny the offending ip to a port or range of ports, but in
/etc/fail2ban/action.d there are a predefined set which include actions for UFW and Cloudflare.
Jails: This is where filters and actions come together, and is where the filters to be used are enabled, along with their corresponding action and duration of ban. Logically, these are defined in
Installation & Confguration
Using the apt package manager
root@host:~# apt-get install fail2ban
By default, Debian has an sshd jail defines, but you may want to edit the definition at
/etc/fail2ban/jail.d/defaults-debian.conf. Add parameters as follows
[sshd] enabled = true findtime = 3600 # No of seconds the filter must be triggered within maxretry = 3 # No of times the filter must be triggered in findtime. bantime = 3600 # No of seconds the ban is active for
Finally, restart the service
root@host:~# service fail2ban restart
By checking the log files, you should see fail2ban processing the ssh filter and banning IPs as required
2019-09-20 19:26:14,913 fail2ban.actions : NOTICE [sshd] Ban 167.xxx.xxx.xxx 2019-09-20 19:30:11,536 fail2ban.filter : INFO [sshd] Found 23.xxx.xxx.xxx - 2019-09-20 19:30:11 2019-09-20 19:30:11,556 fail2ban.filter : INFO [sshd] Found 23.xxx.xxx.xxx - 2019-09-20 19:30:11 2019-09-20 19:30:11,879 fail2ban.actions : NOTICE [sshd] Ban 23.xxx.xxx.xxx 2019-09-20 19:31:57,132 fail2ban.filter : INFO [sshd] Found 52.xxx.xxx.xxx - 2019-09-20 19:31:57 2019-09-20 19:31:57,154 fail2ban.filter : INFO [sshd] Found 52.xxx.xxx.xxx - 2019-09-20 19:31:57
You can also use the client to inspect the jails running, and which IPs are in the jail.
root@host:~# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd root@host:~# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 5 | |- Total failed: 5856 | - File list: /var/log/auth.log - Actions |- Currently banned: 6 |- Total banned: 1407 `- Banned IP list: 77.xxx.xxx.xxx 114.xxx.xxx.xxx 145.xxx.xxx.xxx 167.xxx.xxx.xxx 23.xxx.xxx.xxx 52.xxx.xxx.xxx
In part 2, we will look at configuring some filters and jails for applications which are not shipped by default.