fail2ban

It is so easy to stop SSH brute force attacks.  I implemented fail2ban on my test box in literally 5 minutes.  I configured it so that 6 bad password attempts to SSH will block a user for 600 seconds.  That will really throw off most attackers and automated scanners.

1. Download and install fail2ban on your Linux system.  (apt-get install fail2ban)

2. Edit the config file in /etc/fail2ban.  Copy jails.conf to jails.local and edit that.
    a. Pretty much used the default config, but changed the send-to email address.
    b. That’s it for SSH config.  There are tons of other options, and fail2ban can be integrated to multiple applications including Apache mod_security and FTP.

3. Restart fail2ban (service fail2ban restart).

Fail2ban uses iptables to enforce blocks by default.  You can check out the other active response configs in /etc/fail2ban/action.d if you are so inclined.

Here are the results.

/var/log/fail2ban.log
INFO    Creating new jail ‘ssh’
INFO    Jail ‘ssh’ uses pyinotify
INFO    Initiated ‘pyinotify’ backend
INFO    Added logfile = /var/log/auth.log
INFO    Set maxRetry = 6
INFO    Set findtime = 600
INFO    Set banTime = 600
INFO    Jail ‘ssh’ started
WARNING [ssh] Ban X.X.X.X