So you have installed minimal setup of Ubuntu, you have setup SSH with public key authentication and disabled password authentication, and you have also allowed only single non-root user to access the server. You also configured a firewall, spending an entire night understanding the rules, and blocked everything except a few required ports. Now does this mean that your server is secured and you are free to take a nice sound sleep? Nope.
Servers are exposed to the public network, and the SSH daemon itself, which is probably the only service open, and can be vulnerable to attacks. If you monitor the application logs and access logs, you can find repeated systematic login attempts that represent brute force attacks.
Fail2ban is a service that can help you monitor logs in real time and modify iptables rules to block suspected IP addresses. It is an intrusion-prevention framework written in Python. It can be set to monitor logs for SSH daemon and web servers. In this recipe, we will discuss how to install and configure fail2ban.
Getting ready
You will need access to a root account or an account with similar privileges.
How to do it…
Follow these steps to secure against brute force attacks:
Fail2ban is available in the Ubuntu package repository, so we can install it with a single command, as follows:
$ sudo apt-get update
$ sudo apt-get install fail2ban
Create a copy of the fail2ban configuration file for local modifications:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open a new configuration file in your favorite editor:
$ sudo nano /etc/fail2ban/jail.local
You may want to modify the settings listed under the [DEFAULT] section:
Add your IP address to the ignore IP list.
Next, set your e-mail address if you wish to receive e-mail notifications of the ban action:
destemail = you@provider.com
sendername = Fail2Ban
mta = sendmail
Set the required value for the action parameter:
action = $(action_mwl)s
Enable services you want to be monitored by setting enable=true for each service. SSH service is enabled by default:
[ssh]
enable = true
Set other parameters if you want to override the default settings.
Fail2ban provides default configuration options for various applications. These configurations are disabled by default. You can enable them depending on your requirement.
Restart the fail2ban service:
$ sudo service fail2ban restart
Check iptables for the rules created by fail2ban:
$ sudo iptables -S
Try some failed SSH login attempts, preferably from some other system.
Check iptables again. You should find new rules that reject the IP address with failed login attempts:
How it works…
Fail2ban works by monitoring the specified log files as they are modified with new log entries. It uses regular expressions called filters to detect log entries that match specific criteria, such as failed login attempts. Default installation of fail2ban provides various filters that can be found in the /etc/fail2ban/filter.d directory. You can always create your own filters and use them to detect log entries that match your criteria.
Once it detects multiple logs matching with the configured filters within the specified timeout, fail2ban adjusts the firewall settings to reject the matching IP address for configured time period.
There's more…
Check out the article about defending against brute force attacks at http://www.la-samhna.de/library/brutessh.html .
The preceding articles shows multiple options to defend against SSH brute force attacks. As mentioned in the article, you can use iptables to slow down brute force attacks by blocking IP addresses:
$ iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
$ iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
$ iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
These commands will create an iptables rule to permit only three SSH login attempts per minute. After three attempts, whether they are successful or not, the attempting IP address will be blocked for another 60 seconds.
