Server Defense 1: fail2ban

As I gain traffic I am finding I have to start stepping up on the security of my local servers. I do the basics, like use public keys, I disable root password login and make the default shell for root to be /sbin/nologin.

What did notice?

I normally connect to my personal servers via FQDN as I have one forwarding to each of the servers that host my own services. I had recently noticed ssh was failing to resolve on the first attempt, only after subsequent attempts would I get a connection through. I becamed concerned about extraneous traffic to my server to I dropped into /var/log/auth.log to take a look.

Not so much to my surprise I saw several entries that look like this:

sshd: Failed password for root from port 34
284 ssh2
sshd: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=  user=root

and the list goes on…

What did I do

The first thing I thought to do was to whitelist the ip addresses I most normally connect through. This could work, however it would be annoying as my home ip address does change from time to time. I had almost began to gather all of the addresses when I discovered that fail2ban can cover sshd in addition to the mysql login attempts I blocked on my Wordpress host.

Installing fail2ban was as easy as sudo apt install fail2ban complete with sane defaults in the form of /etc/fail2ban/jail.conf. You can simply copy this too /etc/fail2ban/jail.local and leave the defaults. However, I am not sane and began tinkering so that I can understand the whole picture.

I changed the following values:

findtime = 600 # if $maxretry attempts are made in 600s
maxretry = 4

I left bantime = 3600, or 1 hour, which is the default setting in the Debian package.

Controlling fail2ban

I quickly found how easy it is to ban the ip addresses who have already made attempts.

You can manually ban ips as root using:

fail2ban-client set [JAIL] banip [IP_ADDRESS]

Bans are on a per-jail basis, the active jails can be listed using:

fail2ban-client status

You can also list the details about a specific jail, as root, with:

fail2ban-client status [JAIL]

Using this information I was able to easily grep out the IP’s I wanted from auth.log. Verify which ones were not mine, or were malicious, and used a simple bash iterator to use the ban command and blacklist the foreign IPs.


You can be secure, but leaving the highways to your town gates open can still cause traffic that can affect you.

It is important to be proactive about your security and always look for ways to improve it before a breach happens.

comments powered by Disqus