Home

Setting up fail2ban

Protecting SSH in Raspbian 8 (Debian Jessie)

Fail2ban is a tool that reads log files seeking exploits and and malicious login attempts and bans the source IP address by updating the firewall rules.

I opened up the SSH port to my raspberrypi hosted at home so I could do development work remotely, but from the day I opened up the port my pi has been bombarded by SSH login attempts. It was usually the same few IP addresses doing multiple attempts a second so fail2ban would be perfect for this.

I followed the guide by Digital Ocean as a general recipe.

Noticing the many failed login attempts

By chance I looked at /var/log/auth.log and noticed a large number of failed login attempts. Running sudo lastb | tail -n1; sudo lastb | wc -l is another good way of seeing the number of failed login attempts.

Installing and Configuring fail2ban

Installing fail2ban was very simple.

$ sudo apt-get install fail2ban

/etc/fail2ban/jail.conf is the main configuration file. I made a second local configuration file with more specific settings to be more readable, /etc/fail2ban/jail.local.

The DEFAULT block defines some default rules. I define bantime, the number of seconds to ban an IP address (1 hour), findtime, how far back to look in the log files when taking into account the number of failed attempts (1 hour), and maxretry, (6) the number of malicious attempts in the last maxretry seconds before banning.

SSH rules

The SSH block is what really mattered to me. Here the rules for SSH login attempts are defined based on records in /var/log/auth.log.

[ssh]

enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 86400
logpath = /var/log/auth.log
banaction = iptables-allports

The rule is enabled. Port is set to the default SSH port (22) as I haven't changed it. Filter is set to sshd which is a file containing the regex rules for this filter, /etc/fail2ban/filter.d/sshd.conf.

I reduced the max retries to 3 because I personally have a very low chance of having an incorrect login more than once. I increased ban time to 1 day. Set the path to the log file for it to read as /var/log/auth.log. And the ban method is iptables-allports which will set iptables to have the rule reject-with icmp-port-unreachable for this IP address.

Final configuration

The following is the final configuration of /etc/fail2ban/jail.local

[DEFAULT]
bantime = 3600
findtime = 3600
maxretry = 6

[ssh]

enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 86400
logpath = /var/log/auth.log
banaction = iptables-allports

Avoiding the issue altogether

I need to move away from using passwords for SSH login and use SSH keys, that way I can just disabled password login and not every worry about bruteforce login attempts.