fail2ban

A while ago, I was checking servers' logs to see any suspicious activities going on from outside. I noticed that the servers both staging/testing and production servers are receiving a lot of brute force SSH attacks from variety of countries which are shown in table below.


List of IP Addresses ( who are doing SSH Brute Forcing )

** Information on the table gathered from: [ https://www.maxmind.com/en/geoip-demo ]


Ban failed attempts

Although servers have no password login, they are kept brute forcing on SSH port. Well, fail2ban was one of obvious solution to block those IP addresses permanently or temporarily. I prefered to block them all permanently until manual unblocking has been done by me.

The steps for installing fail2ban is pretty obvious, you are doing same things like, apt-get update && apt-get install fail2ban. After installation completed, configuration is much more important.

Following steps will guide you to block any ip address who are brute forcing on SSH.


  • Copy template file
   $ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • Set Ban time

    It is possible to set ban time permanent or temporarily. I preffered to setup permanent, so for this reason I have changed bantime = -1. Save and exit from the file when you are done.

$ vim /etc/fail2ban/jail.conf

# Permanent ban 
bantime = -1 

  • Create custom rules for SSH

 $ vim /etc/fail2ban/jail.d/sshd.local

   [sshd]
   enabled  = true
   port     = ssh
   filter   = sshd
   logpath  = /var/log/auth.log  # place of ssh logs 
   maxretry = 4    # maximum number of attempts that user can do 

(*Maxretry value and log file can be changed according to your setup.)

  • Make the rules persistent

    In order to make the rules persistent which means, the blocked IPs will not be deleted after restart of fail2ban service or restart of server. It requires to have some tricks to be done inside iptables rules under fail2ban. Add following cat and echo commands at the end of actionstart and actionban respectively .

$ vim /etc/fail2ban/action.d/iptables-multiport.conf 

                        .
                        .
                        .

actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
          cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
          | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

                       .
                       .
                       .

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
        echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans
  • Save and restart service
$ systemctl restart fail2ban

These are most basic steps to block IP addresses who are actively brute forcing to servers. After some time, I am able to see them with following command :)


$ sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed:	12
|  |- Total failed:	107
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	16
   |- Total banned:	16
   `- Banned IP list:	171.239.254.84 184.102.70.222 180.251.85.85 103.249.240.208 159.65.194.150 117.217.35.114 113.164.79.129 61.14.228.170 116.110.30.245 43.239.80.181 77.222.130.223 14.255.137.219 184.22.195.230 125.25.82.12 116.110.109.90 115.76.168.231

It is growing in time however at least they are not able to brute force the server with same IP addresses. There are plenty of other ways to make SSH port much more secure and effective however I think having updated ssh daemon/client, passwordless login and fail2ban will be enough in most of the cases. Therefore, while I was doing this stuff, although there are plenty of guides over there, I wanted to note down how I did it to come back and check if something happens.

Take care !