How to use Ubuntu fail2ban to protect SSH against brute-force attacks?

by monroe.bahringer , in category: Security , 2 years ago

How to use Ubuntu fail2ban to protect SSH against brute-force attacks?

Facebook Twitter LinkedIn Telegram Whatsapp

1 answer

Member

by modesta , 2 years ago

@monroe.bahringer 

Fail2ban is a popular tool used for protecting servers from brute-force attacks by banning IP addresses that fail authentication attempts. It works by monitoring log files for patterns of failed login attempts, and then taking action to block the offending IP address.


To use Fail2ban to protect SSH on an Ubuntu server, follow these steps:

  1. Install Fail2ban:
1
2
sudo apt-get update
sudo apt-get install fail2ban


  1. Create a configuration file for SSH:
1
2
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local


  1. Edit the configuration file to specify the SSH jail settings. Under [sshd], set the enabled parameter to true, and adjust the maxretry and bantime parameters to suit your needs. For example:
1
2
3
4
5
6
7
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600


This will block an IP address for one hour (3600 seconds) after three failed login attempts.

  1. Save and close the configuration file, and then restart the Fail2ban service:
1
sudo systemctl restart fail2ban


  1. Test the configuration by attempting to log in to the server with an incorrect password three times in a row. The offending IP address should then be banned for the specified time period.


Note: The above configuration assumes that your SSH daemon is running on the default port 22. If you have configured SSH to run on a different port, you should adjust the port parameter accordingly.