DEV Community

Ahmet Turkmen
Ahmet Turkmen

Posted on • Originally published at mrturkmen.com on <time datetime="2021-02-24T12:00:00Z" class="date-no-year">Feb 24</time>

fail2ban: block ssh bruteforce attacks 🇬🇧

fail2ban

A while ago, I was checking servers’ logs to see any suspicious activities going on from outside. I noticed that the servers both staging/testing and production servers are receiving a lot of brute force SSH attacks from variety of countries which are shown in table below.


List of IP Addresses ( who are doing SSH Brute Forcing )

IP Address Country Code Location Network Postal Code Approximate Coordinates* Accuracy Radius (km) ISP Organization Domain Metro Code
171.239.254.84 VN Ho Chi Minh City, Ho Chi Minh, Vietnam, Asia 171.239.254.0/23 10.8104,106.6444 1 Viettel Group Viettel Group viettel.vn
North Holland, Netherlands, Europe 159.65.192.0/20 1098 52.352, 4.9392 1000 Digital Ocean Digital Ocean
117.217.35.114 IN Bhopal,Madhya Pradesh, India, Asia 117.217.35.0/24 462030 23.2487,77.4066 50 BSNL BSNL
Asia 113.164.79.0/24 9.7774, 105.4592 50 VNPT VNPT 61.14.228.170
Da Nang, Vietnam, Asia 116.110.30.0/23 16.0685,
108.2215 1 Viettel Group Viettel Group
43.239.80.181 IN Kolkata, West Bengal, India, Asia 43.239.80.0/24 700006 22.5602, 88.3698 10 Meghbela Broadband Meghbela Broadband PMPL-Broadband.net
Tinh Thai Binh, Vietnam, Asia 14.255.136.0/23 20.4487,
106.3343 100 VNPT VNPT vnpt.vn
184.22.195.230 TH Bangkok, Bangkok, Thailand, Asia 184.22.195.0/24 10310 13.7749, 100.5197 20 AIS Fibre AIS Fibre myaisfibre.com
116.110.109.90 VN Da Nang, Da Nang, Vietnam, Asia 116.110.109.0/24 16.0685, 108.2215 20 Viettel Group Viettel Group
Ho Chi Minh, Vietnam, Asia 115.76.168.0/23 10.8104,
106.6444 1 Viettel Group Viettel Group viettel.vn

** Information on the table gathered from: [https://www.maxmind.com/en/geoip-demo]


Ban failed attempts

Although servers have no password login, they are kept brute forcing on SSH port. Well, fail2ban was one of obvious solution to block those IP addresses permanently or temporarily. I prefered to block them all permanently until manual unblocking has been done by me.

The steps for installing fail2ban is pretty obvious, you are doing same things like, apt-get update && apt-get install fail2ban. After installation completed, configuration is much more important.

Following steps will guide you to block any ip address who are brute forcing on SSH.


  • Copy template file
   $ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Enter fullscreen mode Exit fullscreen mode

Set Ban time

It is possible to set ban time permanent or temporarily. I preffered to setup permanent, so for this reason I have changed bantime = -1. Save and exit from the file when you are done.

$ vim /etc/fail2ban/jail.conf

# Permanent ban 
bantime = -1 

Enter fullscreen mode Exit fullscreen mode
  • Create custom rules for SSH

 $ vim /etc/fail2ban/jail.d/sshd.local

   [sshd]
   enabled = true
   port = ssh
   filter = sshd
   logpath = /var/log/auth.log # place of ssh logs 
   maxretry = 4 # maximum number of attempts that user can do 

Enter fullscreen mode Exit fullscreen mode

(*Maxretry value and log file can be changed according to your setup.)

Make the rules persistent

In order to make the rules persistent which means, the blocked IPs will not be deleted after restart of fail2ban service or restart of server. It requires to have some tricks to be done inside iptables rules under fail2ban. Add following cat and echo commands at the end of actionstart and actionban respectively .

$ vim /etc/fail2ban/action.d/iptables-multiport.conf 

                        .
                        .
                        .

actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
          cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
          | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

                       .
                       .
                       .

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
        echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans

Enter fullscreen mode Exit fullscreen mode
  • Save and restart service
$ systemctl restart fail2ban

Enter fullscreen mode Exit fullscreen mode

These are most basic steps to block IP addresses who are actively brute forcing to servers. After some time, I am able to see them with following command :)


$ sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
| |- Currently failed:  12
| |- Total failed:  107
| `- File list: /var/log/auth.log
`- Actions
   |- Currently banned: 16
   |- Total banned: 16
   `- Banned IP list:   171.239.254.84 184.102.70.222 180.251.85.85 103.249.240.208 159.65.194.150 117.217.35.114 113.164.79.129 61.14.228.170 116.110.30.245 43.239.80.181 77.222.130.223 14.255.137.219 184.22.195.230 125.25.82.12 116.110.109.90 115.76.168.231

Enter fullscreen mode Exit fullscreen mode

It is growing in time however at least they are not able to brute force the server with same IP addresses. There are plenty of other ways to make SSH port much more secure and effective however I think having updated ssh daemon/client, passwordless login and fail2ban will be enough in most of the cases. Therefore, while I was doing this stuff, although there are plenty of guides over there, I wanted to note down how I did it to come back and check if something happens.

Take care !

Discussion (0)