How To Protect SSH with Fail2Ban on Ubuntu 22.04

how to protect ssh with fail2ban on ubuntu 22.04

In this tutorial, we are going to show you how to protect SSH with Fail2ban on Ubuntu 22.04

SSH stands for Secure Shell Protocol and is a cryptographic network protocol for operating network services securely over an unsecured network. Fail2ban is an intrusion prevention software framework. Fail2ban is written in Python and is used to prevent brute-force attacks. In the next paragraphs, we are going to install Fail2ban and will provide you with commands for managing the fail2ban service. Then we will proceed with the fail2ban configuration for SSH protection.

Installing Fail2ban and protecting SSH is a straightforward process and may take up to 15 minutes. Let’s get started!

Prerequisites

  • Fresh install of Ubuntu 22.04
  • User privileges: root or non-root user with sudo privileges

Step 1. Update the System

We need to update the system packages to the latest versions available and will proceed with installing fail2ban.

sudo apt update -y && sudo apt upgrade -y

Step 2. Install Fail2ban

To install the Fail2ban service, execute the following command:

sudo apt install fail2ban -y

Once installed, start and enable the service:

sudo systemctl enable fail2ban && sudo systemctl start fail2ban

To check if the service is up and running, execute the following command:

sudo systemctl status fail2ban

You should receive the following output:

root@host:~# sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-10-04 18:14:04 CDT; 4s ago
       Docs: man:fail2ban(1)
   Main PID: 147319 (fail2ban-server)
      Tasks: 5 (limit: 4575)
     Memory: 11.6M
        CPU: 338ms
     CGroup: /system.slice/fail2ban.service
             └─147319 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Oct 04 18:14:04 host.test.vps systemd[1]: Started Fail2Ban Service.
Oct 04 18:14:04 host.test.vps fail2ban-server[147319]: Server ready

Step 3. Configure Fail2ban

Fail2ban configuration files are stored in /etc/fail2ban/ directory on the server.

root@host:/etc/fail2ban# ll
total 80
drwxr-xr-x   6 root root  4096 Oct  4 18:13 ./
drwxr-xr-x 103 root root 12288 Oct  4 18:13 ../
drwxr-xr-x   2 root root  4096 Oct  4 18:13 action.d/
-rw-r--r--   1 root root  2816 Nov 23  2020 fail2ban.conf
drwxr-xr-x   2 root root  4096 Mar 10  2022 fail2ban.d/
drwxr-xr-x   3 root root  4096 Oct  4 18:13 filter.d/
-rw-r--r--   1 root root 25071 Mar 10  2022 jail.conf
drwxr-xr-x   2 root root  4096 Oct  4 18:13 jail.d/
-rw-r--r--   1 root root   645 Nov 23  2020 paths-arch.conf
-rw-r--r--   1 root root  2827 Nov 23  2020 paths-common.conf
-rw-r--r--   1 root root   650 Mar 10  2022 paths-debian.conf
-rw-r--r--   1 root root   738 Nov 23  2020 paths-opensuse.conf

All configuration settings are stored in the jail.conf file but in most cases, you should not modify this file but provide customizations in jail.local file, or separate .conf files under jail.d/ directory. Modifying this file may result in overwriting the values on the next system update. That is why we are going to make a copy of the original jail.conf with the new name jail.local as described in the previous sentence.

cp jail.conf jail.local

Now we are ready to do some modifications in order to protect SSH.

If you want to apply some rule for all of the services supported by Fail2ban, you need to make changes under the [DEFAULT] section near the top of the file. For example, the ban time is set to 10 minutes by default, but you can increase that value, for example, to 60 minutes.

bantime  = 60m

Other important parameters are findtime and maxretry that always work together. Let’s set maxretry to 3 and findtime to 5 minutes:

findtime = 5m
maxretry = 3

This means that the client will be banned if there are 3 failed attempts to log in to the server in 5 minutes.

The next parameters that are often used are the email parameters. These parameters will help us to receive an email alert when fail2ban takes action and banning users. This is an explanation of the destemail, sender and mta.

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

# Sender email address used solely for some actions
sender = root@fq-hostname

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

The ban messages are sent to destemail, the sender is the FROM field in the email, and mta is the mail service. By default, the mail service for fail2ban is sendmail, but you can configure any mail service you want. It will work.

Now, let’s test the Fail2ban configuration about the previous changes.

ssh user@192.168.0.1
user@192.168.0.1's password:
Permission denied, please try again.
user@192.168.0.1's password:
Permission denied, please try again.
user@192.168.0.1's password:
user@192.168.0.1: Permission denied (publickey,password).
ssh user@92.168.0.1
ssh: connect to host 192.168.1.107 port 22: Connection refused

As you can see, after three failed login attempts, Fail2ban closed the SSH connection. The user will be banned for 5 minutes. If you try to login in that 5 minutes, then the connection will be refused as described above.

If you want to learn more about every parameter in jail.conf file, just execute the following command:

man jail.conf

You should receive the following output:

JAIL.CONF(5)                                                           Fail2Ban Configuration                                                          JAIL.CONF(5)

NAME
       jail.conf - configuration for the fail2ban server

SYNOPSIS
       fail2ban.conf fail2ban.d/*.conf fail2ban.local fail2ban.d/*.local

       jail.conf jail.d/*.conf jail.local jail.d/*.local

       action.d/*.conf action.d/*.local action.d/*.py

       filter.d/*.conf filter.d/*.local

DESCRIPTION
       Fail2ban has four configuration file types:

       fail2ban.conf
              Fail2Ban global configuration (such as logging)

       filter.d/*.conf
              Filters specifying how to detect authentication failures

       action.d/*.conf
              Actions defining the commands for banning and unbanning of IP address

       jail.conf
              Jails defining combinations of Filters with Actions.

That’s it. You successfully protect SSH with Fail2Ban on Ubuntu 22.04. Of course, you do not have to do this on your own. You just need to sign up for one of our NVMe VPS plans and submit a support ticket. We are available 24/7

If you liked this about how to protect SSH with Fail2Ban on Ubuntu 22.04, please share it with your friends on social networks or simply leave a reply below.

Leave a Comment