You Are here: Home News Ubuntu / Linux / Unix Protect your SSH with fail2ban

20 -May -2012
Register

REGISTER

*
*
*
*
*
Fields marked with an asterisk (*) are required.
Protect your SSH with fail2ban PDF Print E-mail
News - Ubuntu / Linux / Unix
Written by Mark Veenstra   
Saturday, 04 December 2010 14:29

If your running a Linux/Unix server and for some reason you have your SSH open to the world, you might want to consider to protect your SSH by getting attacked and cracked. I searched the Internet for some solutions and to my opinion the best and easiest way to go is using "fail2ban". Nice thing about fail2ban is that it can also help you with auto blacklisting FTP and other applications. Here a little howto:

  1. Download and install the package that is required for your OS. Maybe you can even find it in your package manager of your distribution. For example I have CentOS running and I can install the package with yum ("yum install fail2ban.noarch"). If you can't find a package in your distribution go to http://www.fail2ban.org/wiki/index.php/Downloads
  2. After a succesfull installation it is quite easy to setup. Edit the file "/etc/fail2ban/jail.conf" and enable the SSH jail:
    3. [ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@mail.com]
logpath  = /var/log/secure
maxretry = 5
  3. Once you have done this you need to start fail2ban as follows:
    4. [root@home ~]# /etc/init.d/fail2ban restart
  4. Now your SSH is protected and will automatically ban IP addresses that fail to login after 5 attempts.

For example I have tried to login 5 times from a PC to the server. After 5 fails, fail2ban blocked my IP. You can see this in logfile:

/var/log/fail2ban.log
2010-12-04 16:54:34,655 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.202

If this is an IP address you would like to move from the blacklist, please follow the next steps:

  1. Execute the following command:
    2. [root@home ~]# iptables -L -n
  2. This will output the iptables list and at the bottom you will see the "Chain fail2ban-SSH"
    3. Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.202        0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
  3. To remove an IP from the block list type the following:
    4. iptables -D fail2ban-SSH -s 192.168.1.202 -j DROP
  4. That's all!

Share this....
Last Updated on Saturday, 04 December 2010 15:08
 

Add comment

Please act and post as a normal adult!


Security code
Refresh

Latest news

Popular