Secure SSH with Fail2Ban

Posted on May 14, 2019 by Damon Luong

Remote managing a server is important but I believe securing it is just as important.
Would you like to type “last” and just relize someone has just login into your server from a far country?
Well the solution is here!
We will be installing fail2ban, witch is capable of monitoring not just SSH but many other daemons.
It is quite cool, it send you an email after X attempts and include that bad IP into iptables for X amount of time.

Installing in Debian:
# apt-get install fail2ban


Installing in RedHat,CentOS,Fedora:
# wget http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=ufpr

or you can download fail2ban from my home server

# tar -xjvf fail2ban-0.8.4.tar.bz2
# cd fail2ban-0.8.4
# python setup.py install    {if not working then “yum install python-devel”}
Autostart in RedHat,CentOS,Fedora
# cp files/redhat-initd /etc/init.d/fail2ban
# chkconfig –add fail2ban
# chkconfig fail2ban on
# service fail2ban start

Configuring Fail2ban:
Fail2ban is automatically configured for the most part. However, little items need to be tweaked. /etc/fail2ban/fail2ban.conf is responsible for general settings for fail2ban, such as what log to append to. More specific settings can be changed in /etc/fail2ban/jail.conf. However, it’s recommended that this file not be directly changed. Instead, make a copy to jail.local. The local file with override the .conf one.
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
First, under [DEFAULT] find ignoreip. It’s always important for you to have a way in! These are IPs are fail2ban will ignore – IPs listed here can always have invalid login. These need to be space separated.
Check also the bantime, maxrety and other settings. I believe the bantime of only 10min ( 600 sec) is not enough to handle an attack,
so I raised it to 86400 (24 hours).Also adjust the logfiles path and names to your system.

#vim /etc/fail2ban/jail.local

[DEFAULT]

# “ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 172.31.0.0/24 10.10.0.0/24 192.168.0.0/24
bantime = 86400
maxretry = 5

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/auth.log
maxretry = 5

logpath=/var/log/secure (for RedHat,CentOS,Fedora)

Then restart the service:
# /etc/init.d/fail2ban restart
or RedHat
# service fail2ban restart

And check your iptables:
# iptables -L

If you want to unblock someone just do:
# iptables -D fail2ban-ssh 1

Show failed SSH logins by date:
# cat /var/log/secure | grep ‘Failed password’ |  sort | uniq -c

There is also a cool nagios plugin

More on Fail2Ban

Appendix, Install email server: smail, sendmail:
#apt-get install smail
To configure:
#/usr/sbin/smailconfig
Test it:
#/usr/sbin/smailtest

Other Tips
HELP:
1.) stop the Service
/etc/init.d/fail2ban stop
2.) delete the socket if avalible
rm /tmp/fail2ban.sock
3.) start the Service
/etc/init.d/fail2ban start
4.) check if fail2ban is working
fail2ban-client ping
Answer should be “pong”
5.) if the answer is not “pong” run away or  CRY FOR HELP

About Damon Luong

San Jose, California
This entry was posted in Fail2Ban. Bookmark the permalink.