Fail2Ban, a Python-based utility, safeguards systems against network attacks, particularly brute force assaults. Its operation is straightforward yet powerful: Fail2Ban monitors system logs, searching for patterns of suspicious activity. If these patterns match predefined rules within configuration files, Fail2Ban takes action, such as blocking the attacker's IP address and logging the incident.
This article will guide you through installing and configuring Fail2Ban on Ubuntu 24.04 to prevent brute force attacks against your SSH service.
Step 1: Installing Fail2Ban
Before we begin, ensure your package lists and package database are up to date:
sudo apt update && sudo apt upgrade -y
Next, install Fail2Ban using the APT package manager:
sudo apt install fail2ban
Once the installation completes, verify it by checking the Fail2Ban version:
Knowing your Fail2Ban version is helpful if you encounter issues during this tutorial. Feel free to mention it in the comments if you need assistance.
Step 2: Configuring Fail2Ban
Fail2Ban configuration files reside in the "/etc/fail2ban" directory. Several configuration files are grouped within the "action.d", "fail2ban.d", "filter.d", and "jail.d" directories, while essential configuration files like "fail2ban.conf", "jail.conf", and "jail.local" are located in the main directory.
This tutorial will focus on modifying the "jail.conf" file to configure Fail2Ban for preventing brute force attacks. This file contains default configurations for various services, including SSH.
To avoid directly modifying "jail.conf", we'll create a copy named "jail.local" within the same directory:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, we'll modify this configuration file according to our needs using your preferred text editor (here, we'll use Nano):
sudo nano /etc/fail2ban/jail.local
Once the file opens, locate the [SSH] section, typically commented out with a "#" symbol. Remove the "#" and add the following configuration below it:
[ssh]
enabled = true
port = ssh
filter = sshd
maxretry = 3
findtime = 5m
bantime = 24h
Note: Ensure you add this configuration below the [SSH] section, not [SSHD]. If you find a [SSHD] section, rename it to [SSH].
Here's a breakdown of the added configuration:
enabled = true: Activates the configuration.
port = ssh and filter = sshd: Specify the service to monitor.
maxretry = 3: Defines the maximum allowed failed login attempts before an IP address is blocked (here, 3 failed attempts).
findtime = 5m: Specifies the duration within which the condition must be met (in this case, a user must fail login three times within five minutes for action to be taken).
bantime = 24h: Determines how long an IP address remains blocked (in this case, 24 hours).
These configuration values are not industry standards that must be blindly followed. Feel free to adjust them based on your specific needs or requirements.
After editing, your configuration file should look like this:
Save and close the file. If using Nano, press Ctrl+X, then Y, then Enter to save and exit.
Step 3: Restarting Services
After making configuration changes, ensure the SSH service is running and enabled to launch automatically upon system boot. To do this, execute the following two commands:
sudo systemctl restart ssh
sudo systemctl enable ssh
Next, restart and enable the Fail2Ban service with these commands:
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
You're now ready to test whether brute force attempts via SSH will be blocked.
Step 4: Testing Brute Force Attacks via SSH
To test if multiple SSH login attempts (or a brute force attack) are blocked, use your local IP address (obtainable with the command ip addr show) from your local network (or the same system, which also works). Attempt to log in to the system with Fail2Ban configured a few times until reaching the attempt limit.
During or after these failed login attempts, monitor the Fail2Ban logs to see if the IP address has been blocked:
sudo tail -f /var/log/fail2ban.log
Once the IP address is blocked on the user's side, they will receive the following message when trying to log in via SSH:
To unblock a user's IP address from Fail2Ban, identify their IP address with the following command:
sudo fail2ban-client set sshd unbanip 192.168.0.101
Conclusion
This article demonstrated how to install and configure Fail2Ban to block IP addresses attempting brute force attacks against your SSH service. If you have any questions on this topic, feel free to leave them in the comments.
We hope this article proves useful and helps enhance your system's security.
0 comments:
Post a Comment