Every server that exists online, virtual or dedicated, has some purpose related to its existence. It could be used as mail server, file server, web server or anything else. That means, no matter how hard we try to isolate and restrict access to it, we still have to leave some ports open.
For example, email server must be able to accept incoming connections on port 25, webserver must be able to listen on port 80 etc. The most important for a server in the SSH service, that listens on port 22. We must to make sure to protect our server from unauthorized SSH access otherwise it will become easy target for brute force attacks.
The most suitable application for this purpose is Fail2ban. It is an intrusion prevention framework written in the Python programming language. It is able to run on servers that have an interface to a packet-control system or firewall installed locally. It scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. In order to install fail2ban, make sure your repositories are up to date and simply install it:
# apt-get update
# apt-get install fail2ban
Once it is installed, it puts sample configuration file in /etc/fail2ban/jail.conf. We should copy the sample configuration file in /etc/fail2ban/jail.local and then, open file for editing using our favorite text editor. A lot of the possible services that we need to protect are already inside the sample file in their own section and there is DEFAULT section in the configuration file. Some of the important settings in this file are:
- ignoreip: We can use single IP, mask or a host name. IP addresses listed here will be excluded and will always be allowed to access the server
- bantime: The time (in seconds) that a host would be blocked from the server if they are found to be in violation of any of the defined rules. The default is set for 600 (10 minutes) but it should be increased to at least 30 minutes or more.
- maxrwtry: This is the number of incorrect login attempts allowed for a client before they get restricted to access the server. The default is 3.
- backend: specifies the backend used to get files modification. It should be set to “auto”
- destemail: We can specify email address where we want to get notifications when IP address is banned.
Another important section is the ACTION section. Important lines here line describe that fail2ban will use the system iptables in order to ban suspicious IP address and specify the protocol that fail2ban will monitor which can be TCP or UDP.
banaction = iptables-multiport
protocol = tcp
After we are done with the default settings and actions, we should setup our SSH section which will make sure that the SSH access to our server is secured. Here is how the SSH section should look inside the configuration file:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
This section makes SSH monitoring active, it listens on the SSH port for the ssh dameon, using the log file location /var/log/auth.log and bans the IP address of the user that will have 4 failed login attempts.
After all settings are made, we need to restart fail2ban and it will start monitoring the log files according to our settings, you can also check which rules are currently applied with the following iptables command.
Fail2ban is one of the most widely used applications when it comes to server security. It is very simple and effective, so you shouldn’t think twice in order to decide to install it on your server. It is a must have application.