Install fail2ban for SSH on ServerPilot / Vultr Instance

ServerPilot out of the box does not have a solution to deal with brute force attacks, it does have a sister company called Heatshield which rejects IP addresses that try and constantly connect to your site, you can also do the same with the opensource fail2ban.

fail2ban is an app which bans access to your site from IP addresses which are trying to login to your services such as SSH on port 22, it is good practice to change the port number as well as deny IPs which are constantly attempting to get in. fail2ban trawls the logs to look for patterns and extend the ban on repeat offenders.

This guide adds in fail2ban for SSH on a ServerPilot and Vultr instance with Ubuntu 16.04 – it is best to do this with your own UFW firewall and not the default ServerPilot one.

Install fail2ban

sudo apt-get install fail2ban

This will install and start the app including the monitoring of SSH by default, you will find fail2ban in

/etc/fail2ban/

You can stop it whilst you configure things

service fail2ban stop

Initially it may be good to tail the log file in another shell tab to see what is happening whilst you are learning it…

tail -f /var/log/fail2ban.log

Copy the jail.conf file to a local one named jail.local, the .local one will override the .conf and is best to make changes to this one.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Configure Settings

The jail.local file contains a lot of commented out code, just find the uncommented code and change a few settings, a good starting point is to change the ignoreip, bantime, findtime, maxretry, banaction and email address to change the email alert to a preferred one

ignoreip – good to add your office/home perm IP (space separated)

banaction – Since you are using ufw as firewall set banaction to ufw instead of iptables-multiport and you will see the fail2ban new rules as part of the ufw set.

banaction = ufw

destemail – receiving email address

# Destination email address used solely for the interpolations in
 # jail.{conf,local,d/*} configuration files.
 destemail = [email protected]

bantime, findtime, maxretry – the first 2 values are in seconds and are worked out that if the maxretry logins are exceeded in the findtime then that IP is banned for the length of the bantime. So if you wanted 5 maxretrys banned for 24 hrs that had tried to gain access in an hour the following would do it.

# "bantime" is the number of seconds that a host is banned.
bantime = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 3600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

After the changes start fail2ban

service fail2ban start

Check your log and ufw status file to see success.

[email protected]la-2:~# ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
Anywhere REJECT IN 124.153.101.226
Anywhere REJECT IN 121.18.238.106
Anywhere REJECT IN 61.177.172.24
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
68/udp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)

To change the SSH port number, make sure you have it allowed in the ufw firewall first.

ufw allow 2222/tcp

Then back in the jail.local file, change

[sshd]

port = ssh

to

[sshd]

port = 2222

Restart fail2ban

Once you have looked through the jail.local file and are familiar with it it is better practice for your jail.local file to be tidy and just contains the overrides you need which are segregated by  [] – so the variables set in [DEFAULT] and [SSH] will override the equivalents in jail.conf, so your new clean and tidy jail.local may resemble this…

[DEFAULT]
bantime = 86400
findtime = 43200
maxretry = 4
banaction = ufw
ignoreip = 127.0.0.1/8 1.2.3.4
mta = mail

[sshd]
enabled = true
port = ssh

Running Processes or jails

You can also see which fail2ban processes are running by using

fail2ban-client status

And if you have SSH running you will see

StatusStatus|- Number of jail: 1`- Jail list: sshd

Uninstall fail2ban

sudo apt-get remove fail2ban

Find out more on the fail2ban website and github repo.

ref & ref

ref

ref

 

2 Comments

  1. SEO Themes on July 23, 2017 at 11:15 am

    Think you have a small typo on the banaction command, otherwise great tutorial. Thanks!

Leave a Comment





%d bloggers like this: