Securing Ubuntu System against brute force attacks

February 12, 2021

Comments

So you have installed minimal setup of Ubuntu, you have setup SSH with public key authentication and disabled password authentication, and you have also allowed only single non-root user to access the server. You also configured a firewall, spending an entire night understanding the rules, and blocked everything except a few required ports. Now does this mean that your server is secured and you are free to take a nice sound sleep? Nope.

Servers are exposed to the public network, and the SSH daemon itself, which is probably the only service open, and can be vulnerable to attacks. If you monitor the application logs and access logs, you can find repeated systematic login attempts that represent brute force attacks.

Fail2ban is a service that can help you monitor logs in real time and modify iptables rules to block suspected IP addresses. It is an intrusion-prevention framework written in Python. It can be set to monitor logs for SSH daemon and web servers. In this recipe, we will discuss how to install and configure fail2ban.

Prerequisites

You will need access to a root account or an account with similar privileges.

Secure Ubuntu against brute force attacks:

Follow these steps to secure against brute force attacks:

  • Fail2ban is available in the Ubuntu package repository, so we can install it with a single command, as follows:
$ sudo apt-get update 
$ sudo apt-get install fail2ban
  • Create a copy of the fail2ban configuration file for local modifications:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • Open a new configuration file in your favorite editor:
$ sudo nano /etc/fail2ban/jail.local
  • You may want to modify the settings listed under the [DEFAULT] section:
# The DEFAULT allows a global definition of the options. They can be overridden
# in ach jail afterwards.

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
  • Add your IP address to the ignore IP list.

  • Next, set your e-mail address if you wish to receive e-mail notifications of the ban action:

destemail = you@provider.com 
sendername = Fail2Ban 
mta = sendmail
  • Set the required value for the action parameter:
action = $(action_mwl)s
  • Enable services you want to be monitored by setting enable=true for each service. SSH service is enabled by default:
[ssh] 
enable = true
[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath	= /var/log/auth.log
maxretry = 6
  • Set other parameters if you want to override the default settings.

  • Fail2ban provides default configuration options for various applications. These configurations are disabled by default. You can enable them depending on your requirement.

  • Restart the fail2ban service:

$ sudo service fail2ban restart
  • Check iptables for the rules created by fail2ban:

$ sudo iptables -S
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -s 61.82.71.252/32 -j REJECT --reject-wth icmp-port-unreachable
-A fail2ban-ssh -j RETURN
  • Try some failed SSH login attempts, preferably from some other system.

  • Check iptables again. You should find new rules that reject the IP address with failed login attempts:

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -s 61.82.71.252/32 -j REJECT --reject-wth icmp-port-unreachable
-A fail2ban-ssh -j RETURN

How Fail2ban works:

Fail2ban works by monitoring the specified log files as they are modified with new log entries. It uses regular expressions called filters to detect log entries that match specific criteria, such as failed login attempts. Default installation of fail2ban provides various filters that can be found in the /etc/fail2ban/filter.d directory. You can always create your own filters and use them to detect log entries that match your criteria.

Once it detects multiple logs matching with the configured filters within the specified timeout, fail2ban adjusts the firewall settings to reject the matching IP address for configured time period.

Check out the article about defending against brute force attacks at http://www.la-samhna.de/library/brutessh.html.

The preceding articles shows multiple options to defend against SSH brute force attacks. As mentioned in the article, you can use iptables to slow down brute force attacks by blocking IP addresses:

$ iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT 
$ iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " 
$ iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

These commands will create an iptables rule to permit only three SSH login attempts per minute. After three attempts, whether they are successful or not, the attempting IP address will be blocked for another 60 seconds.

Satish Kumar

Satish Kumar

I am Satish Kumar, Founder of LinuxConcept. Linux and F.O.S.S enthusiast, love to work on open source platform and technologies.

Related Posts

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

How to Install Nginx on Ubuntu 21.04 Server

How to Install Nginx on Ubuntu 21.04 Server

Nginx is the most potent, open-source, and a high-performance Web server. It can work as a reverse proxy server also, nowadays, is used by most of the most significant websites on the internet. People pronounced “engine x” for Nginx; it is the hot choice for every...

0 Comments

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

20 − ten =

News & Updates

Join Our Newsletter