Hardening SSH & using Fail2ban

Sorry about the lack of content, since the storm I have been quite busy with work and other projects. I assure you that I will be more active on this blog in the future. Today I wish to introduce you to Fail2Ban. What is Fail2ban you may ask? Simply put it is software that helps reduce the risk of brute-force attacks. Anyone that has run a server before understands that the risk is real and you must prepare accordingly. Choosing to ignore this risk is unwise and can lead to your server being compromised. 

How exactly does fail2ban work you might ask? It monitors your log files for failed attempts at SSH or any service that requires authentication. Setting it up is easy, I will include two guides here and here. If you have any trouble setting this up you can also comment on this post. If you don’t like that send me an email here. Once configured it will monitor your /var/log/secure file for failed login attempts. You can easily configure the amount of attempts as well as the duration of the ban. The Wasteland is set for 5 failed attempts with a full day ban issued to offenders. Some may go for shorter bans, others may want less failed attempts before the ban. My only suggestion is to avoid setting the failed attempts to just one. 

A good administrator knows this is only the first step in securing SSH on your server. The easiest and most important being using a strong password. I will provide a couple of generator sites here and here. If you are running a highly sensitive server you should consider using multi-factor authentication. The most common method for this would be RSA_SecurID, I have several for work. This is not a free option however and I aim to keep the Wasteland open source. For me using a strong password, Fail2ban and a few of these suggestions is sufficient. I highly recommend disabling direct root login. A good majority of attackers will be trying for root so denying direct root access just seems logical. You can quickly switch to root from any user account anyway. One more tip, make that user account unique, avoid just using your first name or a dictionary word. 

Some may wish to take it a step further. I can confirm that a good majority of the attacks I receive are from Chinese and Russian hosts. For the small time blogger like me you might consider just blocking all hosts from those regions. If you have no need to do business with China you can just block all hosts from them in your firewall. This may not be a viable solution though if you need to conduct business with that part of the world. I do not, I don’t speak Mandarin nor do I have any current business interests there. The Wasteland is blocking all Chinese hosts at the firewall level. Russia is also famous for their less than savory activities on the internet. For those interested I will place links to sites that have countries broken down by their assigned IP blocks. I like this one best but found another worthy site to share. 

There you have it, you can still leave SSH open in your firewall and not have to fret about the threat of brute-force attacks. I hope you find this useful and as always feel free to comment with any questions or points I may have left out. 

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on RedditShare on TumblrPin on Pinterest

Published by

Rick

Thirty-something IT Professional

Leave a Reply

Your email address will not be published. Required fields are marked *

six + twenty =