Are you a spammer

Please note, that the first 3 posts you make, will need to be approved by a forum Administrator or Moderator before they are publicly viewable.
Each application to join this forum is checked at the Stop Forum Spam website. If the email or IP address appears there when checked, you will not be allowed to join this forum.
If you get past this check and post spam on this forum, your posts will be immediately deleted and your account inactivated.You will then be banned and your IP will be submitted to your ISP, notifying them of your spamming. So your spam links will only be seen for an hour or two at most. In other words, don't waste your time and ours.

This forum is for the use and enjoyment of the members and visitors looking to learn about and share information regarding the topics listed. It is not a free-for-all advertising venue. Your time would be better spent pursuing legitimate avenues of promoting your websites.

How to Protect ssh Server Using fail2ban

Build it and learn to secure your system/server.


How to Protect ssh Server Using fail2ban

Postby tanmay.01 » Wed Jul 03, 2013 7:55 am

One common attack on ssh service is brute force attacks where a remote attacker indefinitely attempts to log in with different passwords.

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

To install fail2ban on Ubuntu or Debian, run the following command.
Code: Select all
sudo apt-get install fail2ban


Now you are ready to configure fail2ban ,

Code: Select all
sudo nano /etc/fail2ban/jail.local


[DEFAULT]
# a space delimited list of IP addresses, CIDR prefixes, or DNS hostnames
# to bypass fail2ban protection
ignoreip = 127.0.0.1 172.31.0.0/24 10.10.0.0/24 192.168.0.0/24

# number of seconds during which a client host is blocked
bantime = 86400

# number of failures before a client host is blocked
maxretry = 5

# number of seconds within which "maxentry" failures result in banning
findtime = 600

mta = sendmail

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=your@email.com, sender=fail2ban@email.com]
logpath = /var/log/auth.log
# ssh-specific max-retry threshold
maxretry = 5
logpath=/var/log/secure


Once the configuration file is ready, start fail2ban service as follows.
Code: Select all
sudo service fail2ban start


To verify fail2ban is running successfully, run fail2ban-client command with “ping” argument. If fail2ban service is running okay, you should see “pong” as a response.
Code: Select all
sudo fail2ban-client ping


Server replied: pong


Show failed SSH logins by date:
Code: Select all
cat /var/log/secure | grep ‘Failed password’ |  sort | uniq -c


A log file called /var/log/messages demonstrates fail2ban in action.
Code: Select all
sudo tail /var/log/messages


You can verify the ban by checking current iptables rules.
Code: Select all
sudo iptables --list -n


If you want to unblock the IP address from fail2ban, run the following command.
$ sudo iptables -D fail2ban-SSH -s The.IP.To.Unblock -j DROP

Note that fail2ban itself is stateless. So if you restart fail2ban, all blocked IP addresses will be unblocked.
HP ENVY 15
•3rd generation Intel(R) Core(TheeMahn) i5-3210M Processor (2.5 GHz with Turbo Boost up to 3.1 GHz)
• 1GB Radeon(TheeMahn) HD 7750M GDDR5 Graphics [HDMI]
• 6GB 1600DDR3 System Memory (2 Dimm)
• 750GB 7200 rpm Hard Drive
• Intel 2x2 802.11a/b/g/n WLAN + Bluetooth(R)
• Full-size Radiance backlit keyboard.

Image
User avatar
tanmay.01
Moderator
 
Posts: 253
Joined: Wed Dec 07, 2011 1:03 pm
Location: India
Age: 27
Operating System: Other Linux

Return to Server and Security

Who is online

Users browsing this forum: No registered users and 1 guest