Setup fail2ban to protect services
mouse 508 · person cloud · link
Last update
2019-08-12
2019
08-12
«secure apps/server with fail2ban jails
ssh and ssh ddos»

Install fail2ban:

1
apt-get install fail2ban

Configure fail2ban:

Create a file (a modified copy of jail.conf) with these lines:

1
2
3
4
5
6
7
8
9
10
11
[DEFAULT]
# space separeted list of IP addresses, CIDR masks, DNS hosts
ignoreip = 127.0.0.1/8 192.168.1.1/24

# number of seconds that a host is banned
bantime  = 3600

# a host is banned if it has generated "maxretry" during the
# last "findtime" seconds
findtime = 600
maxretry = 1
  • on debian 9 put it in /etc/fail2ban/jail.d/local.conf appending these lines:
1
2
3
4
5
6
7
[sshd]
enabled  = true
maxretry = 1

[sshd-ddos]
enabled  = true
maxretry = 1
  • on debian 8 put it in /etc/fail2ban/jail.local (a copy of jail.conf) appending these lines:
1
2
3
4
5
6
7
8
9
10
11
12
13
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 1

[ssh-ddos]
enabled  = true
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 1

Starting, status, unblock IPs:

1
2
3
4
5
6
7
# restart service after any config modification
systemctl restart fail2ban

# show jailing info/counters
fail2ban-client status
fail2ban-client status sshd
fail2ban-client status sshd-ddos

To unlock blocked IPs:

1
2
3
4
iptables -L | less -p"Chain fail2ban-ssh" # find desired REJECT rule

# iptables -D <rulename> <rule line from rulename header>
iptables -D fail2ban-ssh 1

SSH tips

You can allow or deny access to specific users by editing /etc/ssh/sshd_config:

1
2
3
4
5
# allow ssh access only to users A and B and disallow all the others
AllowUsers user_a user_b

# deny ssh access only to users A and B and allow all the others
DenyUsers user_a user_b

in this way the SSH demon triggers a faster failure+ban for the disallowed users.


Source: debianizzati, digitalocean