dah85.com

*not* just another blog ;)

Setting up Fail2Ban

- Posted in Quick Tip by with comments

If you have a look in your server logs, you will most likely see an intrusion attempt every couple of seconds. This is anti-social behaviour which seems to stem from Chinese "hackers".

Here's how to make it a lot harder for them to actually gain access.

sudo apt update && sudo apt install fail2ban

Check that all is good and that it's running

systemctl status fail2ban

And we can watch it work by looking at the log file, which in my case is at

nano /var/log/fail2ban.log

You can see that it's finding patterns that match abuse, and will ban these bastards for 5 mins at a time. It won't stop them, but it will make it harder for them to brute force a password that way.

This is an excerpt from my log:

2017-10-12 13:59:42,654 fail2ban.filter [15200]: INFO [sshd] Found 221.194.47.236 2017-10-12 13:59:43,158 fail2ban.actions [15200]: NOTICE [sshd] Ban 221.194.47.236
2017-10-12 13:59:44,836 fail2ban.filter [15200]: INFO [sshd] Found 221.194.47.236 2017-10-12 13:59:56,473 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.95
2017-10-12 13:59:58,575 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.95
2017-10-12 14:00:01,356 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.95
2017-10-12 14:00:03,747 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.95
2017-10-12 14:00:06,404 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.95
2017-10-12 14:00:07,399 fail2ban.actions [15200]: NOTICE [sshd] Ban 59.45.175.95
2017-10-12 14:00:08,511 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.95
2017-10-12 14:00:57,705 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.11
2017-10-12 14:00:59,516 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.11
2017-10-12 14:01:05,281 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.11
2017-10-12 14:01:07,856 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.11
2017-10-12 14:01:13,863 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.11
2017-10-12 14:01:14,693 fail2ban.actions [15200]: NOTICE [sshd] Ban 59.45.175.11 2017-10-12 14:01:15,203 fail2ban.filter [15200]: INFO [sshd] Found 59.45.175.11