fail2ban: block ssh bruteforce attacks πŸ‡¬πŸ‡§

- 5 mins

fail2ban

A while ago, I was checking servers’ logs to see any suspicious activities going on from outside. I noticed that the servers both staging/testing and production servers are receiving a lot of brute force SSH attacks from variety of countries which are shown in table below.


List of IP Addresses ( who are doing SSH Brute Forcing )

IP Address Country Code Location Network Postal Code Approximate Coordinates* Accuracy Radius (km) ISP Organization Domain Metro Code
171.239.254.84VNHo Chi Minh City,
Ho Chi Minh,
Vietnam,
Asia
171.239.254.0/2310.8104,
106.6444
1Viettel GroupViettel Groupviettel.vn
184.102.70.222USWarsaw,
Indiana,
United States,
North America
184.102.70.0/244658241.2817,
-85.8541
100CenturyLinkCenturyLinkqwest.net588
180.251.85.85IDSurabaya,
East Java,
Indonesia,
Asia
180.251.85.0/24-7.2484,
112.7419
100PT Telkom IndonesiaPT Telkom Indonesia
103.249.240.208INPune,
Maharashtra,
India,
Asia
103.249.240.0/2441100118.6161,
73.7286
10Gazon Communications India LimitedGazon Communications India Limited
159.65.194.150NLAmsterdam,
North Holland,
Netherlands,
Europe
159.65.192.0/20109852.352,
4.9392
1000Digital OceanDigital Ocean
117.217.35.114INBhopal,
Madhya Pradesh,
India,
Asia
117.217.35.0/2446203023.2487,
77.4066
50BSNLBSNL
113.164.79.129VNHαΊ­u Giang,
Vietnam,
Asia
113.164.79.0/249.7774,
105.4592
50VNPTVNPT
61.14.228.170INMadurai,
Tamil Nadu,
India,
Asia
61.14.228.168/296250099.919,
78.1195
500World Phone Internet Services Pvt LtdWorld Phone Internet Services Pvt Ltd
116.110.30.245VNDa Nang,
Da Nang,
Vietnam,
Asia
116.110.30.0/2316.0685,
108.2215
1Viettel GroupViettel Group
43.239.80.181INKolkata,
West Bengal,
India,
Asia
43.239.80.0/2470000622.5602,
88.3698
10Meghbela BroadbandMeghbela BroadbandPMPL-Broadband.net
77.222.130.223UAKyiv,
Kyiv City,
Ukraine,
Europe
77.222.130.0/240412850.4334,
30.5216
500Private Joint Stock Company datagroupPrivate Joint Stock Company datagroup
14.255.137.219VNThai Binh,
Tinh Thai Binh,
Vietnam,
Asia
14.255.136.0/2320.4487,
106.3343
100VNPTVNPTvnpt.vn
184.22.195.230THBangkok,
Bangkok,
Thailand,
Asia
184.22.195.0/241031013.7749,
100.5197
20AIS FibreAIS Fibremyaisfibre.com
125.25.82.12THBan Tai,
Surat Thani,
Thailand,
Asia
125.25.82.0/24842809.5694,
99.9855
200TOTTOTtotinternet.net
116.110.109.90VNDa Nang,
Da Nang,
Vietnam,
Asia
116.110.109.0/2416.0685,
108.2215
20Viettel GroupViettel Group
115.76.168.231VNHo Chi Minh City,
Ho Chi Minh,
Vietnam,
Asia
115.76.168.0/2310.8104,
106.6444
1Viettel GroupViettel Groupviettel.vn

** Information on the table gathered from: [ https://www.maxmind.com/en/geoip-demo ]


Ban failed attempts

Although servers have no password login, they are kept brute forcing on SSH port. Well, fail2ban was one of obvious solution to block those IP addresses permanently or temporarily. I prefered to block them all permanently until manual unblocking has been done by me.

The steps for installing fail2ban is pretty obvious, you are doing same things like, apt-get update && apt-get install fail2ban. After installation completed, configuration is much more important.

Following steps will guide you to block any ip address who are brute forcing on SSH.


   $ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ vim /etc/fail2ban/jail.conf

# Permanent ban 
bantime = -1 


 $ vim /etc/fail2ban/jail.d/sshd.local

   [sshd]
   enabled  = true
   port     = ssh
   filter   = sshd
   logpath  = /var/log/auth.log  # place of ssh logs 
   maxretry = 4    # maximum number of attempts that user can do 

(*Maxretry value and log file can be changed according to your setup.)

$ vim /etc/fail2ban/action.d/iptables-multiport.conf 

                        .
                        .
                        .

actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
          cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
          | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

                       .
                       .
                       .

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
        echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans
$ systemctl restart fail2ban

These are most basic steps to block IP addresses who are actively brute forcing to servers. After some time, I am able to see them with following command :)


$ sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed:	12
|  |- Total failed:	107
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	16
   |- Total banned:	16
   `- Banned IP list:	171.239.254.84 184.102.70.222 180.251.85.85 103.249.240.208 159.65.194.150 117.217.35.114 113.164.79.129 61.14.228.170 116.110.30.245 43.239.80.181 77.222.130.223 14.255.137.219 184.22.195.230 125.25.82.12 116.110.109.90 115.76.168.231

It is growing in time however at least they are not able to brute force the server with same IP addresses. There are plenty of other ways to make SSH port much more secure and effective however I think having updated ssh daemon/client, passwordless login and fail2ban will be enough in most of the cases. Therefore, while I was doing this stuff, although there are plenty of guides over there, I wanted to note down how I did it to come back and check if something happens.

Take care !

Ahmet Turkmen

Ahmet Turkmen

Software Engineer

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium cool-kubernetes stackoverflow reddit quora quora dev