Atlantic.Net Blog

How to Secure SSH Server with Fail2Ban

Hitesh Jethva
by Atlantic.Net (272 posts) under Dedicated Server Hosting, Tutorials
0 Comments

Fail2Ban is open-source intrusion prevention software used to protect your Linux system from different kinds of attacks. It is written in Python and works by monitoring the services logs for malicious activity. It scans all services’ log files and counts the number of failed login attempts. Whenever their number reaches a predefined threshold, Fail2ban will add extra IP table rules to block the source IPs.

In this post, we will show you how to secure an SSH server with Fail2Ban on Linux.

Prerequisites

  • A fresh CentOS, Ubuntu, or Debian server on the Atlantic.Net Cloud Platform
  • A root password configured on your server

Step 1 – Create Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing a CentOS, Debian, or Ubuntu as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged in to your Linux server, run the following command to update your base system with the latest available packages.

apt-get update -y

Or

dnf update -y

Step 2 – Install Fail2Ban

By default, Fail2Ban is available in all major Linux distributions.

To install Fail2Ban on Ubuntu and Debian, run the following command:

apt-get install fail2ban -y

To install Fail2Ban on CentOS, RHEL and Fedora, run the following command:

dnf install epel-release -y
dnf install fail2ban -y

Once the Fail2Ban is installed, start the Fail2Ban service and enable it to start at system reboot:

systemctl start fail2ban
systemctl enable fail2ban

Step 3 – Configure Fail2Ban

By default, Fail2Ban’s main configuration file is located at /etc/fail2ban/jail.conf. It is always recommended to create a new configuration file named jail.local in the /etc/fail2ban/ directory.

Next, create a new configuration file using your favorite editor:

nano /etc/fail2ban/jail.local

Add the following lines:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 300
ignoreip = 127.0.0.1, whitelist-ip

Save and close the file, then restart the Fail2Ban service to apply the changes:

systemctl restart fail2ban

Where:

  • port is the SSH port number.
  • logpath is the path of the SSH log file.
  • bantime is the number of seconds to block the attacker’s IP.
  • maxretry is the number of failed login attempts allowed for remote hosts.
  • ignoreip is the white list IP addresses.

Step 4 – Monitor Fail2Ban Status

Fail2Ban comes with a command-line utility named fail2ban-client that is used to monitor the Fail2Ban status.

To check the status of the sshd jail, run the following command:

fail2ban-client status sshd

You should see the list of all IPs blocked by Fail2Ban:

Status for the jail: ssh
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	10
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:	1
   `- Banned IP list:	45.58.44.186

To check the status of the all active jail, run the following command:

fail2ban-client status

Sample output:

Status
|- Number of jail:	3
`- Jail list:	proftpd, sshd, apache2

You can also check the Fail2Ban log for more information:

tail -f /var/log/fail2ban.log

Sample output:

2021-07-15 10:02:13,084 fail2ban.filter         [8012]: INFO    [ssh] Found 45.58.44.186 - 2021-07-15 10:02:13
2021-07-15 10:02:33,085 fail2ban.filter         [8012]: INFO    [sshd] Found 45.58.44.186 - 2021-07-15 10:02:13
2021-07-15 10:02:33,117 fail2ban.actions        [8013]: NOTICE  [ssh] Ban 45.58.44.186

Step 5 – Ban and Unban Remote IPs with Fail2Ban

Fail2Ban also allows you to ban and unban remote IPs manually.

To unban any blocked IP, run the following command:

fail2ban-client set sshd unbanip remote-ip

If you want to ban any untrusted IP, run the following command:

fail2ban-client set sshd banip remote-ip

Conclusion

In the above guide, we explain how to secure an SSH server using Fail2Ban on Linux. You can now create more jails to protect other services like Apache, FTP, WordPress, and more – try it on dedicated server hosting today!

Get A Free To Use Cloud VPS

Free Tier Includes:
G3.2GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources