Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use fail2ban to defend against SSH brute force cracking in Linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Fail2ban is a well-known open source intrusion protection framework on Linux that monitors log files for multiple systems (such as / var/log/auth.log or / var/log/secure) and automatically triggers different defense actions based on any suspicious behavior detected. In fact, fail2ban is very useful in defending against brute force password cracking on SSH servers.

Install Fail2ban on linux

To install fail2ban on CentOS or RHEL, first set up the EPEL repository, and then run the following command.

$sudo yum install fail2ban

Install fail2ban on Fedora and simply run the following command:

$sudo yum install fail2ban

Install fail2ban on ubuntu,Debian or Linux Mint:

Sudo apt-get install fail2ban configures Fail2ban for the SSH server

Now you are ready to enhance your SSH server by configuring fail2ban. You need to edit its configuration file / etc/fail2ban/jail.conf. In the "[DEFAULT]" section of the configuration file, you can define the default parameters for all monitored services, and in the configuration section of a specific service, you can set a specific configuration for each service (such as SSH,Apache, etc.) to override the default parameter configuration.

In the prison area for the service (behind the [DEFAULT] area), you need to define a [ssh-iptables] area, which is used to define the SSH-related prison configuration. The real operation to disable IP addresses is done through iptables.

The following is an example of a file containing the / etc/fail2ban/jail.conf configured in the "ssh-iptables" prison. Of course, according to your needs, you can also designate other application prisons.

$sudo vi / etc/fail2ban/jail.local [DEFAULT] # Space-delimited list It can be an IP address, The CIDR prefix or DNS hostname # is used to specify which addresses can be ignored for fail2ban defense ignoreip = 127.0.0.1 172.31.0.0ash 24 10.10.0.0Universe 24 192.168.0.0Universe forbidden time (seconds) bantime = 8640 times client hosts are allowed to fail before the client host is prohibited maxretry = "number of lookup failures (seconds) findtime = 600mta = Sendmail [ssh-iptables] enabled = truefilter = sshdaction = iptables [name=SSH Port=ssh, protocol=tcp] sendmail-whois [name=SSH, dest=your@email.com, sender=fail2ban@email.com] # the distribution of the Debian family logpath = / the distribution of the var/log/auth.log# Red Hat family logpath = / the maximum number of var/log/secure# ssh service attempts maxretry = 3

Based on the above configuration, fail2ban automatically forbids any IP address that has failed more than three access attempts in the last 10 minutes. Once banned, this IP address will be banned from accessing the SSH service for 24 hours. This event will also be notified by email via sendemail.

Once the configuration file is ready, restart the fail2ban service as follows.

In Debian, Ubuntu or CentOS/RHEL 6:

$sudo service fail2ban restart

On Fedora or CentOS/RHEL 7:

$sudo systemctl restart fail2ban

To verify that fail2ban is running successfully, run the fail2ban-client command with the parameter 'ping'. If the fail2ban service is running properly, you can see "pong" in response.

$sudo fail2ban-client pingServer replied: pong tests fail2ban to protect SSH from brute force cracking attacks

To test whether fail2ban is working properly, try to simulate a brute force cracking attack by using the wrong password to connect to the server with SSH. At the same time, monitor / var/log/fail2ban.log, which records any sensitive events that occur in the fail2ban.

$sudo tail-f / var/log/fail2ban.log

According to the log file above, Fail2ban banned an IP address of 192.168.1.8 by detecting multiple failed login attempts for the IP address.

Check fail2ban status and unblock locked IP addresses

Since fail2ban's "ssh-iptables" prison uses iptables to block problem IP addresses, you can verify the prohibition rule by checking the current iptables in the following ways.

$sudo iptables-- list-nChain INPUT (policy ACCEPT) target prot opt source destinationfail2ban-SSH tcp-- 0.0.0.0 tcp dpt:22Chain FORWARD (policy ACCEPT) target prot opt source destinationChain OUTPUT (policy ACCEPT) target prot opt source destinationChain fail2ban-SSH (1 references) target prot opt source DestinationDROP all-- 192.168.1.8 0.0.0.0/0RETURN all-- 0.0.0.0 0.0.0.0/0RETURN all 0 0.0.0.0

If you want to unlock an IP address from fail2ban, you can use the iptables command:

$sudo iptables-D fail2ban-SSH-s 192.168.1.8-j DROP

Of course you can use the above iptables command to manually verify and manage fail2ban's IP blocking list, but in fact an appropriate way is to use the fail2ban-client command line tool. This command not only allows you to manage "ssh-iptables" prisons, but also a standard command line interface to manage other types of fail2ban prisons.

To verify the fail2ban status (a list of currently active prisons will be displayed):

$sudo fail2ban-client status

To test the state of a particular prison (e.g. ssh-iptables):

$sudo fail2ban-client status ssh-iptables

The above command displays a list of prohibited IP addresses.

Using fail2ban to defend against brute force cracking of SSH server using fail2ban to defend against brute force cracking of SSH server

To understand the specific IP address of the lock:

$sudo fail2ban-client set ssh-iptables unbanip 192.168.1.8

Note that if you stop the Fail2ban service, all IP addresses will be unlocked. When you restart Fail2ban, it will find the list of abnormal IP addresses in / etc/log/secure (or / var/log/auth.log). If the occurrence of these abnormal addresses is still within the forbidden time, then Fail2ban will re-prohibit these IP addresses.

Set Fail2ban to start automatically

Once you have successfully tested fail2ban, the final step is to let it start automatically on your server at boot time. In Debian-based distributions, fail2ban has enabled automatic startup to take effect by default. In Red-Hat-based distributions, let the automatic startup take effect as follows.

In CentOS/RHEL 6:

$sudo chkconfig fail2ban on

On Fedora or CentOS/RHEL 7:

This is the end of $sudo systemctl enable fail2ban's article on "how to use fail2ban in Linux to defend against SSH brute force cracking". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.