There were too many attacks against the sshd (thousands on a single day), so I decided to install fail2ban. Installation is a simple apt-get install fail2ban. Next, a copy of the file /etc/fail2ban/jail.conf with the name jail.local is created. A possible configuration could be:

before = paths-debian.conf

ignoreip = # more networks if needed
bantime  = 86400
findtime  = 3600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = false

enable  = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
backend = %(sshd_backend)s

This configurations bans an attacking ip address, if there are more than 3 failed login requests within an hour (findtime = 3600). The attacker is banned for 24 hours (bantime = 86400).

With a working iptables configuration, fail2ban can be restarted using systemctl restart fail2ban.

Besides checking /var/log/fail2ban.log or inspecting the firewall tables with iptables -S, a dedicated client program can be used to verify the status of fail2ban:

fail2ban-client status sshd

I had some trouble to validate fail2ban, because the attacking test host used its IPv6 address and these addresses are not recognised by fail2ban yet. Should the number if IPv6 attacks increase, SSHGuard with its IPv6 support might be a sensible alternative.

Leave a Reply

Your email address will not be published. Required fields are marked *