How to secure ssh server with Fail2Ban

Find out how you can fight against brute force attacks against your ssh server. With a simple yet powerful Fail2Ban utility you can do it in few minutes. In this tutorial, I will guide you thru the installation and configuration of it...

What is Fail2Ban

Fail2Ban is an intrusion prevention software (IPS) that scans your servers' logs against authorization failures to blacklist IP addresses that cause them. Such malicious IPs are blocked on a firewall level for a defined period. Usually, Fail2Ban uses iptables for blocking IPs.

Assumptions

I'm a Debian guy :) and this is why this tutorial covers Debian 10. If you use another Linux distribution you must adjust this tutorial to the specifics of your distribution.

I also assumed that you have correctly installed and configured ssh server.

Step by step installation and configuration guide

You can install Fail2Ban with apt-get:

sudo apt-get install fail2ban

Press y when apt-get will ask you to continue. Depending on your hardware installation should take few seconds.

It is a good habit not to change the default configuration file. This is mostly because of compatibility with future Fail2Ban upgrades. So the first thing you need to do is to create your local config file. You can create an empty file or you can copy default configuration".

# if you want to have an empty file just create it:
sudo touch /etc/fail2ban/jail.local

# or copy current one:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now add/edit local configuration:

vim /etc/fail2ban/jail.local

So it will contain:

[sshd]
# if you use port other then 22 for ssh add it here.
port = ssh,2222
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true

Your first line of protection is ready to be started. Before you do it - be sure you will be able to access your server in case something goes wrong. Remember that by default you will be blacklisted for 10 minutes after 5 failed login attempts within 10 minutes. You can tune this up in your jail.local file - just adjust the below values:

[DEFAULT]
# change 192.168.1.1 to your IP so you will not lock yourself
ignoreip = 192.168.1.1

bantime  = 10m
findtime  = 10m
maxretry = 5

Now you are ready to go live:

# Restart Fail2Ban with this command:
systemctl restart fail2ban

And that's it.

Stay secured :)

article related tag icon
Tags

linux security ssh fail2ban admin firewall ips

article author icon
Author

Adam Wojciechowski

article categories icon
Categories

linux security admin

Not enough?

Would you like me to build and conduct training tailored to your needs? I'm waiting for your call or message.

address icon

WeBee.Online Adam Wojciechowski
ul. Władysława Łokietka 5/2
70-256 Szczecin, Poland

email me icon

contact@webee.online

call me icon

+48 5702 webee
(+48 5702 93233)

Copyright © WeBee.Online 2021

This page is NOT using (and probably will never use) cookies and other things that you need to be informed of according to GDPR and other modern world nonsenses. Have a pleasure of reading it without all of those annoying popups!