{"id":351,"date":"2019-05-14T14:29:45","date_gmt":"2019-05-14T14:29:45","guid":{"rendered":"https:\/\/blog.iabsolute.com\/?p=351"},"modified":"2019-05-14T14:29:45","modified_gmt":"2019-05-14T21:29:45","slug":"secure-ssh-with-fail2ban","status":"publish","type":"post","link":"https:\/\/blog.iabsolute.com\/?p=351","title":{"rendered":"Secure SSH with Fail2Ban"},"content":{"rendered":"\n

Remote managing a server is important but I believe securing it is just as important.
\nWould you like to type \u201clast\u201d and just relize someone has just login into your server from a far country?
\nWell the solution is here!
\nWe will be installing fail2ban, witch is capable of monitoring not just SSH but many other daemons.
\nIt is quite cool, it send you an email after X attempts and include that bad IP into iptables for X amount of time.
\n
\nInstalling in Debian:<\/strong>
\n# apt-get install fail2ban<\/code><\/p>\n\n\n\n


\nInstalling in RedHat,CentOS,Fedora:
\n# wget http:\/\/downloads.sourceforge.net\/project\/fail2ban\/fail2ban-stable\/fail2ban-0.8.4\/fail2ban-0.8.4.tar.bz2?use_mirror=ufpr<\/a><\/strong><\/p>\n\n\n\n

or you can download fail2ban<\/a> from my home server<\/h1>\n\n\n\n

# tar -xjvf fail2ban-0.8.4.tar.bz2
\n# cd fail2ban-0.8.4
\n# python setup.py install    {if not working then \u201cyum install python-devel\u201d}
\nAutostart in RedHat,CentOS,Fedora
\n# cp files\/redhat-initd \/etc\/init.d\/fail2ban
\n# chkconfig \u2013add fail2ban
\n# chkconfig fail2ban on
\n# service fail2ban start<\/p>\n\n\n\n

Configuring Fail2ban:<\/strong>
\nFail2ban is automatically configured for the most part. However, little items need to be tweaked. \/etc\/fail2ban\/fail2ban.conf is responsible for general settings for fail2ban, such as what log to append to. More specific settings can be changed in \/etc\/fail2ban\/jail.conf. However, it\u2019s recommended that this file not be directly changed. Instead, make a copy to jail.local. The local file with override the .conf one.
\n# cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/code>
\nFirst, under [DEFAULT] find ignoreip. It\u2019s always important for you to have a way in! These are IPs are fail2ban will ignore \u2013 IPs listed here can always have invalid login. These need to be space separated.
\nCheck also the bantime, maxrety and other settings. I believe the bantime of only 10min ( 600 sec) is not enough to handle an attack,
\nso I raised it to 86400 (24 hours).Also adjust the logfiles path and names to your system.
\n
\n#vim \/etc\/fail2ban\/jail.local<\/code><\/p>\n\n\n\n

[DEFAULT]<\/p>

# \u201cignoreip\u201d can be an IP address, a CIDR mask or a DNS host
\nignoreip = 127.0.0.1 172.31.0.0\/24 10.10.0.0\/24 192.168.0.0\/24
\nbantime = 86400
\nmaxretry = 5<\/p><\/blockquote>\n\n\n

[ssh-iptables]<\/p>\n\n\n\n

\nenabled = true
\nfilter = sshd
\naction = iptables[name=SSH, port=ssh, protocol=tcp]
\nsendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
\nlogpath = \/var\/log\/auth.log
\nmaxretry = 5\n<\/p>\n\n\n\n

logpath=\/var\/log\/secure (for RedHat,CentOS,Fedora)<\/p>\n\n\n\n

Then restart the service:
\n# \/etc\/init.d\/fail2ban restart<\/code>
\nor RedHat
\n# service fail2ban restart<\/p>\n\n\n\n

And check your iptables:
\n# iptables -L<\/code><\/p>\n\n\n\n

If you want to unblock someone just do:
\n# iptables -D fail2ban-ssh 1
\n<\/code>
\nShow failed SSH logins by date:
\n# cat \/var\/log\/secure | grep \u2018Failed password\u2019 |  sort | uniq -c<\/p>\n\n\n\n

There is also a cool nagios plugin<\/p>\n\n\n\n

More on Fail2Ban<\/p>\n\n\n\n

Appendix, Install email server: smail, sendmail:<\/strong>
\n#apt-get install smail
\nTo configure:
\n#\/usr\/sbin\/smailconfig
\nTest it:
\n#\/usr\/sbin\/smailtest<\/p>\n\n\n\n

Other Tips
\nHELP:
\n1.) stop the Service
\n\/etc\/init.d\/fail2ban stop
\n2.) delete the socket if avalible
\nrm \/tmp\/fail2ban.sock
\n3.) start the Service
\n\/etc\/init.d\/fail2ban start
\n4.) check if fail2ban is working
\nfail2ban-client ping
\nAnswer should be \u201cpong\u201d
\n5.) if the answer is not \u201cpong\u201d run away or  CRY FOR HELP<\/p>\n","protected":false},"excerpt":{"rendered":"

Remote managing a server is important but I believe securing it is just as important. Would you like to type \u201clast\u201d and just relize someone has just login into your server from a far country? Well the solution is here! … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-351","post","type-post","status-publish","format-standard","hentry","category-fail2ban"],"_links":{"self":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=351"}],"version-history":[{"count":1,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/351\/revisions"}],"predecessor-version":[{"id":352,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/351\/revisions\/352"}],"wp:attachment":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}