It is so easy to stop SSH brute force attacks. I implemented fail2ban on my test box in literally 5 minutes. I configured it so that 6 bad password attempts to SSH will block a user for 600 seconds. That will really throw off most attackers and automated scanners.
1. Download and install fail2ban on your Linux system. (apt-get install fail2ban)
2. Edit the config file in /etc/fail2ban. Copy jails.conf to jails.local and edit that.
a. Pretty much used the default config, but changed the send-to email address.
b. That’s it for SSH config. There are tons of other options, and fail2ban can be integrated to multiple applications including Apache mod_security and FTP.
3. Restart fail2ban (service fail2ban restart).
Fail2ban uses iptables to enforce blocks by default. You can check out the other active response configs in /etc/fail2ban/action.d if you are so inclined.
Here are the results.
/var/log/fail2ban.log
INFO Creating new jail ‘ssh’
INFO Jail ‘ssh’ uses pyinotify
INFO Initiated ‘pyinotify’ backend
INFO Added logfile = /var/log/auth.log
INFO Set maxRetry = 6
INFO Set findtime = 600
INFO Set banTime = 600
INFO Jail ‘ssh’ started
WARNING [ssh] Ban X.X.X.X
0 Comments