fail2ban
A while ago, I was checking servers’ logs to see any suspicious activities going on from outside. I noticed that the servers both staging/testing and production servers are receiving a lot of brute force SSH attacks from variety of countries which are shown in table below.
List of IP Addresses ( who are doing SSH Brute Forcing )
| IP Address | Country Code | Location | Network | Postal Code | Approximate Coordinates* | Accuracy Radius (km) | ISP | Organization | Domain | Metro Code |
|---|---|---|---|---|---|---|---|---|---|---|
| 171.239.254.84 | VN | Ho Chi Minh City, Ho Chi Minh, Vietnam, Asia | 171.239.254.0/23 | 10.8104,106.6444 | 1 | Viettel Group | Viettel Group | viettel.vn | ||
| North Holland, Netherlands, Europe | 159.65.192.0/20 | 1098 | 52.352, 4.9392 | 1000 | Digital Ocean | Digital Ocean | ||||
| 117.217.35.114 | IN | Bhopal,Madhya Pradesh, India, Asia | 117.217.35.0/24 | 462030 | 23.2487,77.4066 | 50 | BSNL | BSNL | ||
| Asia | 113.164.79.0/24 | 9.7774, 105.4592 | 50 | VNPT | VNPT | 61.14.228.170 | ||||
| Da Nang, Vietnam, Asia | 116.110.30.0/23 | 16.0685, | ||||||||
| 108.2215 | 1 | Viettel Group | Viettel Group | |||||||
| 43.239.80.181 | IN | Kolkata, West Bengal, India, Asia | 43.239.80.0/24 | 700006 | 22.5602, 88.3698 | 10 | Meghbela Broadband | Meghbela Broadband | PMPL-Broadband.net | |
| Tinh Thai Binh, Vietnam, Asia | 14.255.136.0/23 | 20.4487, | ||||||||
| 106.3343 | 100 | VNPT | VNPT | vnpt.vn | ||||||
| 184.22.195.230 | TH | Bangkok, Bangkok, Thailand, Asia | 184.22.195.0/24 | 10310 | 13.7749, 100.5197 | 20 | AIS Fibre | AIS Fibre | myaisfibre.com | |
| 116.110.109.90 | VN | Da Nang, Da Nang, Vietnam, Asia | 116.110.109.0/24 | 16.0685, 108.2215 | 20 | Viettel Group | Viettel Group | |||
| Ho Chi Minh, Vietnam, Asia | 115.76.168.0/23 | 10.8104, | ||||||||
| 106.6444 | 1 | Viettel Group | Viettel Group | viettel.vn |
** Information on the table gathered from: [https://www.maxmind.com/en/geoip-demo]
Ban failed attempts
Although servers have no password login, they are kept brute forcing on SSH port. Well, fail2ban was one of obvious solution to block those IP addresses permanently or temporarily. I prefered to block them all permanently until manual unblocking has been done by me.
The steps for installing fail2ban is pretty obvious, you are doing same things like, apt-get update && apt-get install fail2ban. After installation completed, configuration is much more important.
Following steps will guide you to block any ip address who are brute forcing on SSH.
- Copy template file
$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Set Ban time
It is possible to set ban time permanent or temporarily. I preffered to setup permanent, so for this reason I have changed bantime = -1. Save and exit from the file when you are done.
$ vim /etc/fail2ban/jail.conf
# Permanent ban
bantime = -1
- Create custom rules for SSH
$ vim /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log # place of ssh logs
maxretry = 4 # maximum number of attempts that user can do
(*Maxretry value and log file can be changed according to your setup.)
Make the rules persistent
In order to make the rules persistent which means, the blocked IPs will not be deleted after restart of fail2ban service or restart of server. It requires to have some tricks to be done inside iptables rules under fail2ban. Add following cat and echo commands at the end of actionstart and actionban respectively .
$ vim /etc/fail2ban/action.d/iptables-multiport.conf
.
.
.
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done
.
.
.
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans
- Save and restart service
$ systemctl restart fail2ban
These are most basic steps to block IP addresses who are actively brute forcing to servers. After some time, I am able to see them with following command :)
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 12
| |- Total failed: 107
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 16
|- Total banned: 16
`- Banned IP list: 171.239.254.84 184.102.70.222 180.251.85.85 103.249.240.208 159.65.194.150 117.217.35.114 113.164.79.129 61.14.228.170 116.110.30.245 43.239.80.181 77.222.130.223 14.255.137.219 184.22.195.230 125.25.82.12 116.110.109.90 115.76.168.231
It is growing in time however at least they are not able to brute force the server with same IP addresses. There are plenty of other ways to make SSH port much more secure and effective however I think having updated ssh daemon/client, passwordless login and fail2ban will be enough in most of the cases. Therefore, while I was doing this stuff, although there are plenty of guides over there, I wanted to note down how I did it to come back and check if something happens.
Take care !
Top comments (0)