Showing posts with label fail2ban ubuntu. Show all posts
Showing posts with label fail2ban ubuntu. Show all posts

Monday, October 19, 2020

fail2ban to secure ssh server

SSH is a network protocol for operating network services securely over an unsecured network but there is a word secure in the name, it doesn't mean it cannot be broken. Admins need to configure it securely.

If you are forced to provide ssh access globally, I would suggest to not use passwords as a login method. RSA keys are more secured way to login and it is hard to take unauthorized access of the server.

But if there is a case and you cannot use RSA keys as a login method, you should install fail2ban on your server. It protects you in certain ways to prevent unauthorized access.

If you are under impression that no body is trying to log into your server, you can try this on dummy server. Open 22 port for ssh login and check /var/log/auth.log or /var/log/secure after an hour or two, you will find uncountable number of ssh login requests. People are trying very hard from every point of the earth to get inside of your server.

Here is the way to secure your server, if your ssh login method is password.

1) Install fail2ban on your linux system.

apt install fail2ban
or
yum install fail2ban

2) Configure jail.local

nano /etc/fail2ban/jail.local
	[DEFAULT]
	 ignoreip = 127.0.0.1/8 ::1
	 bantime = 7200
	 findtime = 900
	 maxretry = 5
	[sshd]
	 enabled = true
     
service fail2ban restart

Now fail2ban is configured on your server. Now you want to know, is it working or not? Your concern is valid. Read following steps.

A) If you want to know number of jails you have created in fail2ban, here is the command. Check number of jails.

sudo fail2ban-client status

In above configuration, we created only one jail, so it will list only one jail i.e. 'sshd'. 

B) Now you want to check, how many IPs have been blocked. It will show you total number of blocked IPs as well as the list of IPs which are in blocked status currently. Check status of current blocked IPs

sudo fail2ban-client status <jailname>
sudo fail2ban-client status sshd

You gave bantime 7200 in your config, it means it will block an IP for 2 hours if failed login attempts are 5 or more. You can reduce failed number of login attempts and increase bantime depends on your requirement.

C) If you want to block an IP or a whole IP range manually, here is the command, Block ip or ip range manually.

sudo fail2ban-client -vvv set sshd banip 141.98.10.0/24
sudo fail2ban-client -vvv set sshd banip 222.141.207.246

First command will block an IP range from 141.98.10.0 to 141.98.10.255. It includes all 256 IPs. Second command blocks only one IP i.e. 222.141.207.246

D) If you think, nobody wants to log into your server as those files are useless for them, try below command. If you put just one blank file a.txt in your server and if people will get access of your server, they will write in the file that how many bitcoins they want or they will simply remove the file with other OS files which can be removed by your user.

Check all fail login attempts

 cat /var/log/auth.log | grep rhost 
SSH unauthorized access can be a biggest damage for you and your server. Do not take it lightly.
1) Always use key login method for your ssh user and do not open port 22 globally.
2) If you are forced to open it globally, use key login method and that is too RSA only.
3) If you are forced to use password login method with global access, then you must choose super strong password for your user and configure fail2ban.