Home > Linux, Security > Secure SSH with Fail2Ban

Secure SSH with Fail2Ban

October 7th, 2008 Leave a comment Go to comments

Remote managing a server is important but I believe securing it is just as important.
Would you like to type “last” and just relize someone has just login into your server from a far country?
Well the solution is here!
We will be installing fail2ban, witch is capable of monitoring not just SSH but many other daemons.


Check out my other posts related to this:

  • Poor man’s IPS
  • Block entire country using iptables

  • It is quite cool, it send you an email after X attempts and include that bad IP into iptables for X amount of time.

    Installing in Debian:

    # apt-get install fail2ban


    Installing in RedHat,CentOS,Fedora:

    https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
    tar -xjvf fail2ban-0.9.4.tar.gz
    cd fail2ban-0.9.4
    python setup.py install

    Autostart in RedHat,CentOS,Fedora
    cp files/redhat-initd /etc/init.d/fail2ban
    chkconfig –add fail2ban
    chkconfig fail2ban on
    service fail2ban start

    Configuring Fail2ban:
    Fail2ban is automatically configured for the most part. However, little items need to be tweaked.
    /etc/fail2ban/fail2ban.conf is responsible for general settings for fail2ban, such as what log to append to. More specific settings can be changed in /etc/fail2ban/jail.conf. However, it’s recommended that this file not be directly changed. Instead, make a copy to jail.local. The local file with override the .conf one.
    # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    First, under [DEFAULT] find ignoreip. It’s always important for you to have a way in! These are IPs are fail2ban will ignore – IPs listed here can always have invalid login. These need to be space separated.
    Check also the bantime, maxrety and other settings. I believe the bantime of only 10min ( 600 sec) is not enough to handle an attack,
    so I raised it to 86400 (24 hours).Also adjust the logfiles path and names to your system.

    #vim /etc/fail2ban/jail.local

    [DEFAULT]

    # “ignoreip” can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 172.31.0.0/24 10.10.0.0/24 192.168.0.0/24
    bantime = 86400
    maxretry = 5

    [ssh-iptables]
    enabled = true
    filter = sshd
    action = iptables[name=SSH, port=ssh, protocol=tcp]
    sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
    logpath = /var/log/auth.log
    maxretry = 5

    logpath=/var/log/secure (for RedHat,CentOS,Fedora)

    Then restart the service:
    # /etc/init.d/fail2ban restart
    or RedHat
    # service fail2ban restart

    And check your iptables:
    # iptables -L

    If you want to unblock someone just do:
    # iptables -D fail2ban-ssh 1

    Show failed SSH logins by date:
    # cat /var/log/secure | grep ‘Failed password’ |  sort | uniq -c

    There is also a cool nagios plugin

    More on Fail2Ban

    Appendix, Install email server: smail, sendmail:
    #apt-get install smail
    To configure:
    #/usr/sbin/smailconfig
    Test it:
    #/usr/sbin/smailtest

    Other Tips
    HELP:
    1.) stop the Service
    /etc/init.d/fail2ban stop
    2.) delete the socket if avalible
    rm /tmp/fail2ban.sock
    3.) start the Service
    /etc/init.d/fail2ban start
    4.) check if fail2ban is working
    fail2ban-client ping
    Answer should be “pong”
    5.) if the answer is not “pong” run away or  CRY FOR HELP 😉

    1. January 3rd, 2010 at 03:41 | #1

      Hey there, wanted to thank you for your script, it helped me to finetune my fail2ban, thanks

    2. February 10th, 2010 at 06:29 | #2

      It works !
      Afther lots of reading and your blog I finaly got.
      thanks alot 🙂

    3. FrenchPie
      March 11th, 2010 at 01:05 | #3

      cat /var/log/secure | grep ‘Failed password’ | sort | uniq -c

      You could replace this horrible ‘useless use of cat’ (see uuoc.com) with :

      grep ‘Failed password’ /var/log/secure| sort -u |wc -l

    4. Aaron
      April 21st, 2010 at 19:07 | #4

      I followed the instructions for CentOS/RHEL, and I cannot get it to ban ssh attempts from another box, even though I copied your instructions.

    5. aaronb_houstx
      January 6th, 2011 at 23:50 | #5

      @Aaron

      Check the logging directive in your sshd configuration file. I had the same trouble on a CentOS 5.5 host until I realized that ssh is logging to syslog on AUTHPRIV, which puts everything in ‘/var/log/secure’.

      Just change the log line in ‘jail.local’ or ‘jail.conf’ to read:

      logpath = /var/log/secure

      Make sure that iptables is running, restart fail2ban, and you’re in business.

    6. May 2nd, 2011 at 21:36 | #6

      really great post, thanks for that. came across some real problems getting yum to do the install so this method really saved the day.

    7. Jeff
      April 6th, 2012 at 12:22 | #7

      Thanks for posting this! It’s been very helpful for setting up my tunneling server.

    8. June 6th, 2012 at 12:54 | #8

      AWESOME !!!

      Killing brute-forcer kiddies made easy. ..

    9. Marion
      October 20th, 2013 at 14:45 | #9

      Thank you SO much for the easy-to-follow, concise instructions.

      In case it helps anyone else using Fedora — the command to unban on mine was

      iptables -D fail2ban-SSH 1

      Note the capitalized SSH. I installed from package via yum install fail2ban, maybe that’s part of it.

    10. February 20th, 2014 at 00:13 | #10

      Many thanks for this. By the way, for Fail2ban version 0.8.12 you need a whois program. I did this to get one:

      yum install jwhois

    11. the underscore
      November 18th, 2016 at 15:51 | #11

      Thank you very much. This excerpt made the manual of fail2ban very clear.

    1. January 5th, 2010 at 16:50 | #1

    VAMOVE *

    *