Christian WellsIn today’s digital landscape, securing your server from malicious attacks is of utmost importance. One of the most common targets for hackers is SSH (Secure Shell), a widely used protocol for remote access to servers. To protect your SSH server from brute-force attacks and unauthorized access attempts, you can use Fail2Ban, an intrusion prevention framework. In this article, we will guide you through the process of securing your SSH with Fail2Ban on Ubuntu 23.10.
Section 1: Installing Fail2Ban
To get started, we need to install the Fail2Ban package on our Ubuntu 23.10 server. Before proceeding with the installation, it is important to ensure that your system is up to date. You can do this by running the following commands:
apt update apt upgrade
Once your system is updated, you can proceed with the installation of Fail2Ban by running the following command:
apt install fail2ban
After the installation is complete, you need to enable Fail2Ban by running the following command:
systemctl enable fail2ban
To check the status of Fail2Ban, use the following command:
systemctl status fail2ban
If everything is set up correctly, you should see the output indicating that Fail2Ban is active and running.
Note: It is recommended to take a snapshot or backup of your server before making any configuration changes to ensure that you can revert back if something goes wrong.
Section 2: Configuring Fail2Ban
Fail2Ban comes with default configuration files that you can modify to suit your needs. However, it is not recommended to edit the default configuration files directly, as package upgrades may overwrite your changes. Instead, we will create a separate configuration file called jail.local.
To create the jail.local configuration file, copy the default jail.conf file using the following command:
cp /etc/fail2ban/jail.{conf,local}
Now, open the jail.local file using your preferred text editor:
nano /etc/fail2ban/jail.local
In the jail.local file, you can customize various settings to enhance the security of your SSH server.
Subsection 2.1: Whitelisting IP Addresses
By default, Fail2Ban blocks IP addresses that are involved in suspicious activities. However, you may have specific IP addresses that you want to whitelist, such as your own IP. To whitelist an IP address, look for the following line in the jail.local file and uncomment it:
#ignoreip = 127.0.0.1/8::1
Once uncommented, add your IP address at the end of the line. For example:
ignoreip = 192.168.0.100 192.168.1.0/24
You can whitelist multiple IP addresses by separating them with a single white space. If you want to whitelist an IP block, use CIDR notation as shown above.
Subsection 2.2: Setting Ban Options
Fail2Ban provides several options for banning IP addresses based on failed authentication attempts. These options include bantime, findtime, and maxretry.
bantime: Specifies the duration (in seconds, minutes, hours, or days) an IP address will be banned.findtime: Defines the time window during which Fail2Ban will monitor for repeated failed authentication attempts.maxretry: Sets the maximum number of failed attempts allowed before an IP address is banned.
To customize these options, locate the following lines in the jail.local file and modify them according to your requirements:
bantime = 10m findtime = 10m maxretry = 5
Feel free to adjust these values based on your specific needs. For example, if you want to permanently block an IP address, you can use a negative value for bantime.
Subsection 2.3: Email Notifications
Fail2Ban allows you to receive email notifications when an IP address is banned or when specific events occur. To configure email notifications, you need to have an SMTP server installed on your server.
To enable email alerts, find the following line in the jail.local file and ensure that it is present:
# ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(action_)s %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
To configure the email addresses for sending and receiving notifications, locate the following lines in the jail.local file and update them accordingly:
destemail = admin@xyz.com sender = root@xyz.com
Replace admin@xyz.com with the email address where you want to receive notifications and root@xyz.com with the sender email address.
Section 3: Interacting with Fail2Ban
Fail2Ban provides a command-line tool called fail2ban-client that allows you to interact with the Fail2Ban service. This tool offers various options to manage and monitor banned IP addresses.
To check the status of the Fail2Ban jails, use the following command:
fail2ban-client status
This command will display the status of all the enabled jails, including the SSH jail.
To unban an IP address, use the following command:
fail2ban-client set sshd unbanip "IP address here"
Replace “IP address here” with the actual IP address you want to unban.
Similarly, you can ban an IP address by running the following command:
fail2ban-client set sshd banip "IP address here"
Again, replace “IP address here” with the IP address you want to ban.
Conclusion
By installing and configuring Fail2Ban on your Ubuntu 23.10 server, you can significantly enhance the security of your SSH server. Fail2Ban’s ability to detect and block brute-force attempts and unauthorized access helps protect your server from malicious activities. Remember to regularly monitor the Fail2Ban logs and adjust the configuration settings as needed to ensure optimal security.
With Fail2Ban, you can have peace of mind knowing that your SSH server is safeguarded against potential threats. For reliable and scalable cloud hosting solutions, consider Shape.host’s Linux SSD VPS services. Shape.host offers high-performance virtual private servers with advanced security features, ensuring the safety and stability of your online presence.
Secure your SSH server with Fail2Ban today and experience the benefits of a protected and resilient infrastructure.
