How To Protect SSH with Fail2Ban on Ubuntu 24.04

In an era where cybersecurity threats loom large, safeguarding your server is of utmost importance. One of the most critical components of server security is protecting the SSH (Secure Shell) protocol, a common target for malicious actors attempting to gain unauthorized access. In this blog post, we will walk you through the steps to secure SSH on your Ubuntu 24.04 system using Fail2Ban, a powerful tool that helps prevent brute force attacks.

What is Fail2Ban?

Fail2Ban is an intrusion prevention software that actively scans log files for malicious activities and takes action based on predefined rules. When a certain number of failed login attempts from a single IP address are detected within a configured timeframe, Fail2Ban automatically bans the offending IP by adding it to a firewall rule. This greatly minimizes the risk of brute force attacks on your SSH.

Prerequisites

Before we dive in, ensure you have the following:

• A server running Ubuntu 24.04.
• SSH access to the server with sudo privileges.
• Basic familiarity with the command line.

Step 1: Update Your System

Before installing new packages, it’s always a good practice to update your system. Run the following commands to update your package index and upgrade any outdated packages:

sudo apt update
sudo apt upgrade -y

Step 2: Install Fail2Ban

Fail2Ban is available in the default Ubuntu repositories, making it easy to install. To install Fail2Ban, execute the following command:

sudo apt install fail2ban -y

Step 3: Configure Fail2Ban

After installation, you’ll need to configure Fail2Ban to protect your SSH server. The default configuration file is located at /etc/fail2ban/jail.conf. However, it’s best practice to create a local configuration file to override the defaults without modifying the original file.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, open the jail.local file:

sudo nano /etc/fail2ban/jail.local

Within this file, locate the [sshd] section, which is responsible for configuring the SSH service. You can customize the following parameters:

• enabled: Set this to true to enable the SSH protection.
• port: Ensure this matches the port you use for SSH (default is 22).
• maxretry: The number of failed login attempts before a ban is placed (default is 5).
• bantime: Duration for which the offending IP will be banned (default is 10 minutes). You can adjust this as needed.

Here is an example configuration:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600  ; 10 minutes

Save and close the file by pressing CTRL + X, then Y, and finally ENTER.

Step 4: Restart Fail2Ban

For the changes to take effect, you need to restart the Fail2Ban service:

sudo systemctl restart fail2ban

Step 5: Check Fail2Ban Status

You can verify that Fail2Ban is running properly and that your SSH jail is active by using the following command:

sudo fail2ban-client status

To see the status of the SSH jail specifically, run:

sudo fail2ban-client status sshd

This command will display the number of currently banned IPs and other relevant statistics.

Step 6: Testing Fail2Ban

Now it’s time to test your configuration. You can try logging into your SSH with an incorrect password multiple times (more than maxretry value). After reaching the set limit, you should see your IP address banned when checking the Fail2Ban status.

Conclusion

By following these steps, you’ve fortified your SSH service using Fail2Ban, an essential layer of security against brute force attacks. Always remember that network security is a combination of multiple layers; consider implementing additional measures such as key-based authentication, changing the default SSH port, and using a firewall like UFW to enhance your server’s protection.

Stay vigilant, keep your server updated, and regularly review your security practices to ensure a safe and secure environment for your applications.

For more tips on enhancing your web hosting experience, stay tuned to the Greenhost.Cloud blog!