Friday, January 1, 2010

Securing an ssh server with fail2ban

There are all kinds of ways to secure an ssh server, with varying degrees of increasing security and decreasing flexibility. For example by limiting your server to only accept connections from certain known IP's, you are secure from random hackers on the internet, but you lose the ability to connect to your machine from anywhere you want to. Perhaps while travelling, for example.

Port knocking and listening on a high numbered non-standard port. make it harder for an attacker to even start trying to hack your connection. But this also requires you connect with a machine that you have the knock program installed on. Again, less convenient, more secure.

However, once an attacker does find your port there's nothing to stop brute force password hacking. If you look in your log file, you should see people connecting to your ssh port quite frequently and trying password attacks.

cat /var/log/auth.log

If you have a secure password then it would require days of brute force hacking to gain access to your ssh account, but even so, if you don't watch your logs then it's perfectly possible somebody will gain access eventually.

Brute force attacks can be limited using fail2ban. There's a great article on setting it up here. This program will scan your auth.log for you, using a regular expression to find failed password attempts. On a specified number of failures from a given IP, it will then modify the iptables on your machine (the firewall), to lock that IP out for a specified time.

Now instead of watching your auth.log fill up with reams of failed passwords, you'll see a greatly reduced amount of brute force attacks, and you can watch your fail2ban log file fill up with the IP addresses of hackers.


RaymonLosey said...
This comment has been removed by a blog administrator.
Steve Hanov said...

I just checked and break-in attempts have been happening all night for lord knows how long! Thanks for the tip.

Justin said...

It's sure nice to watch the list of people being banned instead of the list of people hitting your machine every few seconds.