How To Protect SSH with Fail2Ban on Ubuntu 24.04
In an era where cybersecurity threats loom large, safeguarding your server is of utmost importance. One of the most critical components of server security is protecting the SSH (Secure Shell) protocol, a common target for malicious actors attempting to gain unauthorized access. In this blog post, we will walk you through the steps to secure SSH on your Ubuntu 24.04 system using Fail2Ban, a powerful tool that helps prevent brute force attacks.
What is Fail2Ban?
Fail2Ban is an intrusion prevention software that actively scans log files for malicious activities and takes action based on predefined rules. When a certain number of failed login attempts from a single IP address are detected within a configured timeframe, Fail2Ban automatically bans the offending IP by adding it to a firewall rule. This greatly minimizes the risk of brute force attacks on your SSH.
Prerequisites
Before we dive in, ensure you have the following:
- A server running Ubuntu 24.04.
- SSH access to the server with sudo privileges.
- Basic familiarity with the command line.
Step 1: Update Your System
Before installing new packages, it’s always a good practice to update your system. Run the following commands to update your package index and upgrade any outdated packages:
sudo apt update
sudo apt upgrade -y
Step 2: Install Fail2Ban
Fail2Ban is available in the default Ubuntu repositories, making it easy to install. To install Fail2Ban, execute the following command:
sudo apt install fail2ban -y
Step 3: Configure Fail2Ban
After installation, you’ll need to configure Fail2Ban to protect your SSH server. The default configuration file is located at /etc/fail2ban/jail.conf
. However, it’s best practice to create a local configuration file to override the defaults without modifying the original file.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, open the jail.local
file:
sudo nano /etc/fail2ban/jail.local
Within this file, locate the [sshd]
section, which is responsible for configuring the SSH service. You can customize the following parameters:
- enabled: Set this to
true
to enable the SSH protection. - port: Ensure this matches the port you use for SSH (default is 22).
- maxretry: The number of failed login attempts before a ban is placed (default is 5).
- bantime: Duration for which the offending IP will be banned (default is 10 minutes). You can adjust this as needed.
Here is an example configuration:
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600 ; 10 minutes
Save and close the file by pressing CTRL + X
, then Y
, and finally ENTER
.
Step 4: Restart Fail2Ban
For the changes to take effect, you need to restart the Fail2Ban service:
sudo systemctl restart fail2ban
Step 5: Check Fail2Ban Status
You can verify that Fail2Ban is running properly and that your SSH jail is active by using the following command:
sudo fail2ban-client status
To see the status of the SSH jail specifically, run:
sudo fail2ban-client status sshd
This command will display the number of currently banned IPs and other relevant statistics.
Step 6: Testing Fail2Ban
Now it’s time to test your configuration. You can try logging into your SSH with an incorrect password multiple times (more than maxretry
value). After reaching the set limit, you should see your IP address banned when checking the Fail2Ban status.
Conclusion
By following these steps, you’ve fortified your SSH service using Fail2Ban, an essential layer of security against brute force attacks. Always remember that network security is a combination of multiple layers; consider implementing additional measures such as key-based authentication, changing the default SSH port, and using a firewall like UFW to enhance your server’s protection.
Stay vigilant, keep your server updated, and regularly review your security practices to ensure a safe and secure environment for your applications.
For more tips on enhancing your web hosting experience, stay tuned to the Greenhost.Cloud blog!