oxeo0/selfhosting-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git synced 2025-05-17 04:36:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
selfhosting-blogposts/fail2banssh/index.md
oxeo0 cc3824e6a2 add selfhosting tutorials
2025-05-06 19:51:39 +02:00

171 lines
9 KiB
Markdown
Raw Blame History

# fail2banssh Setup
In this tutorial we're going to look at how to install fail2ban to protect the ssh service from bruteforce attacks.
## **Initial Setup**
First we enable rsyslog on the server, to make sure that the ssh login attempts are logged.
[ Wonderland ] [ /dev/pts/5 ] [/var/log]
→ sudo apt-get install rsyslog -y
[ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog]
→ ssh root@192.168.0.100 -i ~/.ssh/torified
Enter passphrase for key '/home/nihilist/.ssh/torified':
[ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog]
→ ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222
Enter passphrase for key '/home/nihilist/.ssh/torified':
[ Wonderland ] [ /dev/pts/5 ] [/var/log]
→ tail -f auth.log | grep "port 22"
2024-03-30T19:09:31.673606+01:00 wonderland sshd[252531]: Connection from 192.168.0.61 port 51258 on 192.168.0.100 port 22 rdomain ""
2024-03-30T19:09:34.365325+01:00 wonderland sshd[252629]: Connection from 192.168.0.61 port 56804 on 192.168.0.100 port 2222 rdomain ""
Then we install fail2ban to make sure that ssh can't be bruteforced:
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ apt install fail2ban
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Mon 2023-07-10 21:15:03 CEST; 19s ago
Docs: man:fail2ban(1)
Main PID: 94740 (fail2ban-server)
Tasks: 5 (limit: 77000)
Memory: 31.7M
CPU: 174ms
CGroup: /system.slice/fail2ban.service
└─94740 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Jul 10 21:15:03 Datura systemd[1]: Started fail2ban.service - Fail2Ban Service.
Jul 10 21:15:03 Datura fail2ban-server[94740]: 2023-07-10 21:15:03,092 fail2ban.configreader [94740]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Jul 10 21:15:03 Datura fail2ban-server[94740]: Server ready
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ vim /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1
Then just restart your fail2ban service
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ systemctl restart fail2ban
Then you can test if the ssh bruteforce attempts are being stopped or not:
root@web-gw:~# ssh root@116.202.216.190
The authenticity of host '116.202.216.190 (116.202.216.190)' can't be established.
ED25519 key fingerprint is SHA256:63Qqh42ab1AnK9iN83ZQMfNDTeTjbFFvaUEZSm9OZQI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '116.202.216.190' (ED25519) to the list of known hosts.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
root@116.202.216.190: Permission denied (publickey,password).
root@web-gw:~# ssh root@116.202.216.190
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
Permission denied, please try again.
root@116.202.216.190's password:
root@116.202.216.190: Permission denied (publickey,password).
root@web-gw:~#
root@web-gw:~#
root@web-gw:~# ssh root@116.202.216.190
ssh: connect to host 116.202.216.190 port 22: Connection refused
root@web-gw:~#
root@web-gw:~#
root@web-gw:~#
root@web-gw:~#
root@web-gw:~# ssh root@116.202.216.190
ssh: connect to host 116.202.216.190 port 22: Connection refused
root@web-gw:~#
And it does! and you can check that in the logs in /var/log/fail2ban.log:
[ nowhere.moe ] [ /dev/pts/0 ] [~]
→ tail -f /var/log/fail2ban.log -n50
2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO --------------------------------------------------
2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO Starting Fail2ban v1.0.2
2023-07-10 21:15:03,108 fail2ban.observer [94740]: INFO Observer start...
2023-07-10 21:15:03,110 fail2ban.database [94740]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-07-10 21:15:03,112 fail2ban.database [94740]: WARNING New database created. Version '4'
2023-07-10 21:15:03,112 fail2ban.jail [94740]: INFO Creating new jail 'sshd'
2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Jail 'sshd' uses poller {}
2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Initiated 'polling' backend
2023-07-10 21:15:03,228 fail2ban.filter [94740]: INFO maxLines: 1
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO maxRetry: 5
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO findtime: 600
2023-07-10 21:15:03,236 fail2ban.actions [94740]: INFO banTime: 600
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO encoding: UTF-8
2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO Added logfile: '/var/log/auth.log' (pos = 0, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f)
2023-07-10 21:15:03,238 fail2ban.jail [94740]: INFO Jail 'sshd' started
2023-07-10 21:15:03,342 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:51
2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:53
2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:27
2023-07-10 21:15:03,344 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:30
2023-07-10 21:21:38,514 fail2ban.server [94740]: INFO Shutdown in progress...
2023-07-10 21:21:38,514 fail2ban.observer [94740]: INFO Observer stop ... try to end queue 5 seconds
2023-07-10 21:21:38,534 fail2ban.observer [94740]: INFO Observer stopped, 0 events remaining.
2023-07-10 21:21:38,574 fail2ban.server [94740]: INFO Stopping all jails
2023-07-10 21:21:38,574 fail2ban.filter [94740]: INFO Removed logfile: '/var/log/auth.log'
2023-07-10 21:21:39,300 fail2ban.actions [94740]: NOTICE [sshd] Flush ticket(s) with iptables-multiport
2023-07-10 21:21:39,300 fail2ban.jail [94740]: INFO Jail 'sshd' stopped
2023-07-10 21:21:39,300 fail2ban.database [94740]: INFO Connection to database closed.
2023-07-10 21:21:39,300 fail2ban.server [94740]: INFO Exiting Fail2ban
2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO --------------------------------------------------
2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO Starting Fail2ban v1.0.2
2023-07-10 21:21:39,461 fail2ban.observer [94842]: INFO Observer start...
2023-07-10 21:21:39,466 fail2ban.database [94842]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-07-10 21:21:39,467 fail2ban.jail [94842]: INFO Creating new jail 'sshd'
2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Jail 'sshd' uses poller {}
2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Initiated 'polling' backend
2023-07-10 21:21:39,557 fail2ban.filter [94842]: INFO maxLines: 1
2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO maxRetry: 3
2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO findtime: 300
2023-07-10 21:21:39,565 fail2ban.actions [94842]: INFO banTime: 3600
2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO encoding: UTF-8
2023-07-10 21:21:39,566 fail2ban.filter [94842]: INFO Added logfile: '/var/log/auth.log' (pos = 378650, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f)
2023-07-10 21:21:39,566 fail2ban.jail [94842]: INFO Jail 'sshd' started
2023-07-10 21:25:29,417 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29
2023-07-10 21:25:29,418 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29
2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30
2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30
2023-07-10 21:25:31,601 fail2ban.actions [94842]: NOTICE [sshd] Ban 23.137.250.141
Reference in a new issue View git blame Copy permalink