DEV Community

Ahmet Turkmen
Ahmet Turkmen

Posted on • Originally published at on <time datetime="2021-02-24T12:00:00Z" class="date-no-year">Feb 24</time>

fail2ban: block ssh bruteforce attacks 🇬🇧


A while ago, I was checking servers’ logs to see any suspicious activities going on from outside. I noticed that the servers both staging/testing and production servers are receiving a lot of brute force SSH attacks from variety of countries which are shown in table below.

List of IP Addresses ( who are doing SSH Brute Forcing )

IP Address Country Code Location Network Postal Code Approximate Coordinates* Accuracy Radius (km) ISP Organization Domain Metro Code VN Ho Chi Minh City, Ho Chi Minh, Vietnam, Asia 10.8104,106.6444 1 Viettel Group Viettel Group
North Holland, Netherlands, Europe 1098 52.352, 4.9392 1000 Digital Ocean Digital Ocean IN Bhopal,Madhya Pradesh, India, Asia 462030 23.2487,77.4066 50 BSNL BSNL
Asia 9.7774, 105.4592 50 VNPT VNPT
Da Nang, Vietnam, Asia 16.0685,
108.2215 1 Viettel Group Viettel Group IN Kolkata, West Bengal, India, Asia 700006 22.5602, 88.3698 10 Meghbela Broadband Meghbela Broadband
Tinh Thai Binh, Vietnam, Asia 20.4487,
106.3343 100 VNPT VNPT TH Bangkok, Bangkok, Thailand, Asia 10310 13.7749, 100.5197 20 AIS Fibre AIS Fibre VN Da Nang, Da Nang, Vietnam, Asia 16.0685, 108.2215 20 Viettel Group Viettel Group
Ho Chi Minh, Vietnam, Asia 10.8104,
106.6444 1 Viettel Group Viettel Group

** Information on the table gathered from: []

Ban failed attempts

Although servers have no password login, they are kept brute forcing on SSH port. Well, fail2ban was one of obvious solution to block those IP addresses permanently or temporarily. I prefered to block them all permanently until manual unblocking has been done by me.

The steps for installing fail2ban is pretty obvious, you are doing same things like, apt-get update && apt-get install fail2ban. After installation completed, configuration is much more important.

Following steps will guide you to block any ip address who are brute forcing on SSH.

  • Copy template file
   $ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Enter fullscreen mode Exit fullscreen mode

Set Ban time

It is possible to set ban time permanent or temporarily. I preffered to setup permanent, so for this reason I have changed bantime = -1. Save and exit from the file when you are done.

$ vim /etc/fail2ban/jail.conf

# Permanent ban 
bantime = -1 

Enter fullscreen mode Exit fullscreen mode
  • Create custom rules for SSH

 $ vim /etc/fail2ban/jail.d/sshd.local

   enabled = true
   port = ssh
   filter = sshd
   logpath = /var/log/auth.log # place of ssh logs 
   maxretry = 4 # maximum number of attempts that user can do 

Enter fullscreen mode Exit fullscreen mode

(*Maxretry value and log file can be changed according to your setup.)

Make the rules persistent

In order to make the rules persistent which means, the blocked IPs will not be deleted after restart of fail2ban service or restart of server. It requires to have some tricks to be done inside iptables rules under fail2ban. Add following cat and echo commands at the end of actionstart and actionban respectively .

$ vim /etc/fail2ban/action.d/iptables-multiport.conf 


actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
          cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
          | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done


actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
        echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans

Enter fullscreen mode Exit fullscreen mode
  • Save and restart service
$ systemctl restart fail2ban

Enter fullscreen mode Exit fullscreen mode

These are most basic steps to block IP addresses who are actively brute forcing to servers. After some time, I am able to see them with following command :)

$ sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
| |- Currently failed:  12
| |- Total failed:  107
| `- File list: /var/log/auth.log
`- Actions
   |- Currently banned: 16
   |- Total banned: 16
   `- Banned IP list:

Enter fullscreen mode Exit fullscreen mode

It is growing in time however at least they are not able to brute force the server with same IP addresses. There are plenty of other ways to make SSH port much more secure and effective however I think having updated ssh daemon/client, passwordless login and fail2ban will be enough in most of the cases. Therefore, while I was doing this stuff, although there are plenty of guides over there, I wanted to note down how I did it to come back and check if something happens.

Take care !

Discussion (0)