How to Protect SSH Server Authentication with Fail2ban Ubuntu 18.04

Hello there. Welcome to our tutorial on how to protect SSH server authentication with fail2ban on Ubuntu 18.04.

Fail2ban is intrusion prevention tool written in Python programming language to protect servers or any service that requires authentication from brute-force attacks. Fail2ban scans the server/service logs for any abnormally and ban any malicious IP associated with it. For example multiple SSH failed login attempts.

It achieves this by adjusting the firewall rules to reject any further attempt by the malicious host to authenticate to the same system or a service for a defined period of time. It can also be configure to sent notifications on the same.

As much as fail2ban mitigates such malicious issues as brute-forcing, it doesn’t alleviate any susceptibility to risks posed to your server/service by the weak authentication mechanisms. Therefore, ensure that you implement good authentication mechanisms for your systems/services.

Install Fail2Ban on Ubuntu 18.04

Fail2ban is available on the default Ubuntu 18.04 repositories and can simply be installed by running the command below;

sudo apt update
sudo apt install fail2ban -y

Configure fail2ban

The configuration files for fail2ban are located under /etc/fail2ban directory with jail.conf being the main configuration file.

In order to configure fail2ban to protect specific services, copy the jail.conf to custom jail.local configuration file. Direct modification of *.conf files is not recommended since in case of an upgrade, they will be overwritten and changes made in them will be lost.

Therefore, you can copy the main configuration file, jail.conf to jail.local and make your own customizations or you can simply create a new custom configuration and define only settings you wish to overwrite in the main .conf.

vim /etc/fail2ban/jail.local

You can however use the jail.conf to guide you on settings you would like to override.

Fail2ban Global Settings

The [DEFAULT] section of the configuration file defines settings that are applied to all the services that are protected by fail2ban. In this section, you may want to override settings like ignoreip, bantime, findtime, maxretry , destemail, sender, mta, action settings.

To customize your jail.local, edit it and put the following contents

[DEFAULT]
ignoreip = 192.168.43.149
bantime  = 1440m
findtime  = 5m
maxretry = 5
destemail = [email protected]
sender = fail2ban@<fq-hostname>
mta = postfix

These parameters are described below;

ignoreip – This is used to define IP addresses that are exempted from being banned by fail2ban. Mulitple IP addresses can be defined using space separator. Fail2ban doesnt ban any host by default.
bantime – Defines how long a host is blocked when it fails to authenticate correctly to the server. It is usually 10 minutes by default.
findtime – Defines a time window period in which a host is blocked if it generates a specific number of authentication retries defined by maxretry parameter. It is usually 10 minutes by default.

maxretry – Defines a maximum number of failures before a host is blocked. The default is 3.
destemail – It specifies an email address to sent notifications to in case you want to be notified whenever a host is banned.
sender – This parameter defines the value of the “From” field in the email sent.

mta – Specifies the mail transfer agent for mailing.

Configure SSH Jail Settings

In order to define settings that applies only to a specific service for example SSH, you need to create a section for that service. By default, the SSH service is enabled while all other services are disabled. To block the failed login attempts on the SSH server, create a jail like as shown below.

# SSH Jail to block multiple failed login attempts

[ssh]

enabled = true port = ssh filter = sshd logpath = /var/log/auth.log

The parameters used are described below;

enabled : This option turns on SSH server protection.

port : Defines the service that fail2ban is set to monitor
filter : Defines the configuration file located in the /etc/fail2ban/filter.d/ directory that fail2ban uses to find matches and in this case, /etc/fail2ban/filter.d/sshd.conf.
logpath : This parameter specifies the location service log file.

Starting fail2ban

Once you are done with configurations , save the configuration file and start and enable fail2ban to run on system boot.

systemctl start fail2ban
systemctl enable fail2ban

As you can see under ACTIONS, fail2ban uses iptables to block or ban any source IP that may be involved in suspicious authentication attempts.

...
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
...

Check Ban Status

Fail2ban operates in a client-server model. The server program fail2ban-server is responsible for monitoring log files and issuing ban/unban commands whereas the fail2ban-client reads the configuration files and issue corresponding configuration commands to the server.

To check for banning status, run the command below;

fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

This will show you the jails that have been activated. In this case, sshd.

Banning can also be done manually using the fail2ban-client command. For example, to ban a specific IP, run the command;

fail2ban-client set sshd banip 192.168.43.220
192.168.43.220

If you can check the status of the jail now, you will find out a list of banned IPs.

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	1
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	192.168.43.220

To unblock the IP,

fail2ban-client set sshd unbanip 192.168.43.220

Test SSH Banning

Before you can conclude that fail2ban is actually working, you need to test it out. Therefore, based on our defined settings above, for an IP to be banned, it has to try at least 5 failed login attempts in five mins. Therefore, you can try to failed ssh logins to your server and check the status of the jail.

fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	7
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	2
   `- Banned IP list:	192.168.43.69

You can also check the fail2ban log entry;

tail -f /var/log/fail2ban.log
2018-11-30 00:04:21,048 fail2ban.filter         [4125]: INFO    [ssh] Found 192.168.43.69 - 2018-11-30 00:00:25
2018-11-30 00:04:21,048 fail2ban.filter         [4125]: INFO    [ssh] Found 192.168.43.69 - 2018-11-30 00:00:27
2018-11-30 00:04:21,049 fail2ban.filter         [4125]: INFO    [ssh] Found 192.168.43.69 - 2018-11-30 00:01:21
2018-11-30 00:04:21,050 fail2ban.filter         [4125]: INFO    [ssh] Found 192.168.43.69 - 2018-11-30 00:01:26
2018-11-30 00:04:21,050 fail2ban.filter         [4125]: INFO    [ssh] Found 192.168.43.69 - 2018-11-30 00:01:29
2018-11-30 00:04:21,051 fail2ban.filter         [4125]: INFO    [ssh] Found 192.168.43.69 - 2018-11-30 00:01:38
2018-11-30 00:04:21,052 fail2ban.filter         [4125]: INFO    [ssh] Found 192.168.43.69 - 2018-11-30 00:01:40
2018-11-30 00:04:21,358 fail2ban.actions        [4125]: NOTICE  [ssh] Ban 192.168.43.69

Once you have been blocked and try to ssh again,

ssh [email protected]
ssh: connect to host 192.168.43.154 port 22: Connection refused

Well, from the output above, you can see that fail2ban works fine. Feel free to explore more about this beautiful tool. That is all it takes to protect your SSH server with Fail2ban. In our next article, we will see how to protect other services in the same way. Thanks for reading. We hope this was informative.