# fail2banssh Setup In this tutorial we're going to look at how to install fail2ban to protect the ssh service from bruteforce attacks. ## **Initial Setup** First we enable rsyslog on the server, to make sure that the ssh login attempts are logged. [ Wonderland ] [ /dev/pts/5 ] [/var/log] → sudo apt-get install rsyslog -y [ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog] → ssh root@192.168.0.100 -i ~/.ssh/torified Enter passphrase for key '/home/nihilist/.ssh/torified': [ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog] → ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222 Enter passphrase for key '/home/nihilist/.ssh/torified': [ Wonderland ] [ /dev/pts/5 ] [/var/log] → tail -f auth.log | grep "port 22" 2024-03-30T19:09:31.673606+01:00 wonderland sshd[252531]: Connection from 192.168.0.61 port 51258 on 192.168.0.100 port 22 rdomain "" 2024-03-30T19:09:34.365325+01:00 wonderland sshd[252629]: Connection from 192.168.0.61 port 56804 on 192.168.0.100 port 2222 rdomain "" Then we install fail2ban to make sure that ssh can't be bruteforced: [ nowhere.moe ] [ /dev/pts/0 ] [~] → apt install fail2ban [ nowhere.moe ] [ /dev/pts/0 ] [~] → systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled) Active: active (running) since Mon 2023-07-10 21:15:03 CEST; 19s ago Docs: man:fail2ban(1) Main PID: 94740 (fail2ban-server) Tasks: 5 (limit: 77000) Memory: 31.7M CPU: 174ms CGroup: /system.slice/fail2ban.service └─94740 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Jul 10 21:15:03 Datura systemd[1]: Started fail2ban.service - Fail2Ban Service. Jul 10 21:15:03 Datura fail2ban-server[94740]: 2023-07-10 21:15:03,092 fail2ban.configreader [94740]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' Jul 10 21:15:03 Datura fail2ban-server[94740]: Server ready [ nowhere.moe ] [ /dev/pts/0 ] [~] → cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local [ nowhere.moe ] [ /dev/pts/0 ] [~] → vim /etc/fail2ban/jail.local [sshd] enabled = true port = ssh filter = sshd logpath = %(sshd_log)s backend = %(sshd_backend)s maxretry = 3 findtime = 300 bantime = 3600 ignoreip = 127.0.0.1 Then just restart your fail2ban service [ nowhere.moe ] [ /dev/pts/0 ] [~] → systemctl restart fail2ban Then you can test if the ssh bruteforce attempts are being stopped or not: root@web-gw:~# ssh root@116.202.216.190 The authenticity of host '116.202.216.190 (116.202.216.190)' can't be established. ED25519 key fingerprint is SHA256:63Qqh42ab1AnK9iN83ZQMfNDTeTjbFFvaUEZSm9OZQI. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '116.202.216.190' (ED25519) to the list of known hosts. root@116.202.216.190's password: Permission denied, please try again. root@116.202.216.190's password: Permission denied, please try again. root@116.202.216.190's password: root@116.202.216.190: Permission denied (publickey,password). root@web-gw:~# ssh root@116.202.216.190 root@116.202.216.190's password: Permission denied, please try again. root@116.202.216.190's password: Permission denied, please try again. root@116.202.216.190's password: root@116.202.216.190: Permission denied (publickey,password). root@web-gw:~# root@web-gw:~# root@web-gw:~# ssh root@116.202.216.190 ssh: connect to host 116.202.216.190 port 22: Connection refused root@web-gw:~# root@web-gw:~# root@web-gw:~# root@web-gw:~# root@web-gw:~# ssh root@116.202.216.190 ssh: connect to host 116.202.216.190 port 22: Connection refused root@web-gw:~# And it does! and you can check that in the logs in /var/log/fail2ban.log: [ nowhere.moe ] [ /dev/pts/0 ] [~] → tail -f /var/log/fail2ban.log -n50 2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO -------------------------------------------------- 2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO Starting Fail2ban v1.0.2 2023-07-10 21:15:03,108 fail2ban.observer [94740]: INFO Observer start... 2023-07-10 21:15:03,110 fail2ban.database [94740]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2023-07-10 21:15:03,112 fail2ban.database [94740]: WARNING New database created. Version '4' 2023-07-10 21:15:03,112 fail2ban.jail [94740]: INFO Creating new jail 'sshd' 2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Jail 'sshd' uses poller {} 2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Initiated 'polling' backend 2023-07-10 21:15:03,228 fail2ban.filter [94740]: INFO maxLines: 1 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO maxRetry: 5 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO findtime: 600 2023-07-10 21:15:03,236 fail2ban.actions [94740]: INFO banTime: 600 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO encoding: UTF-8 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO Added logfile: '/var/log/auth.log' (pos = 0, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f) 2023-07-10 21:15:03,238 fail2ban.jail [94740]: INFO Jail 'sshd' started 2023-07-10 21:15:03,342 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:51 2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:53 2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:27 2023-07-10 21:15:03,344 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:30 2023-07-10 21:21:38,514 fail2ban.server [94740]: INFO Shutdown in progress... 2023-07-10 21:21:38,514 fail2ban.observer [94740]: INFO Observer stop ... try to end queue 5 seconds 2023-07-10 21:21:38,534 fail2ban.observer [94740]: INFO Observer stopped, 0 events remaining. 2023-07-10 21:21:38,574 fail2ban.server [94740]: INFO Stopping all jails 2023-07-10 21:21:38,574 fail2ban.filter [94740]: INFO Removed logfile: '/var/log/auth.log' 2023-07-10 21:21:39,300 fail2ban.actions [94740]: NOTICE [sshd] Flush ticket(s) with iptables-multiport 2023-07-10 21:21:39,300 fail2ban.jail [94740]: INFO Jail 'sshd' stopped 2023-07-10 21:21:39,300 fail2ban.database [94740]: INFO Connection to database closed. 2023-07-10 21:21:39,300 fail2ban.server [94740]: INFO Exiting Fail2ban 2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO -------------------------------------------------- 2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO Starting Fail2ban v1.0.2 2023-07-10 21:21:39,461 fail2ban.observer [94842]: INFO Observer start... 2023-07-10 21:21:39,466 fail2ban.database [94842]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2023-07-10 21:21:39,467 fail2ban.jail [94842]: INFO Creating new jail 'sshd' 2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Jail 'sshd' uses poller {} 2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Initiated 'polling' backend 2023-07-10 21:21:39,557 fail2ban.filter [94842]: INFO maxLines: 1 2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO maxRetry: 3 2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO findtime: 300 2023-07-10 21:21:39,565 fail2ban.actions [94842]: INFO banTime: 3600 2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO encoding: UTF-8 2023-07-10 21:21:39,566 fail2ban.filter [94842]: INFO Added logfile: '/var/log/auth.log' (pos = 378650, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f) 2023-07-10 21:21:39,566 fail2ban.jail [94842]: INFO Jail 'sshd' started 2023-07-10 21:25:29,417 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29 2023-07-10 21:25:29,418 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29 2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30 2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30 2023-07-10 21:25:31,601 fail2ban.actions [94842]: NOTICE [sshd] Ban 23.137.250.141