Home » Ubuntu » Securing Ubuntu System against brute force attacks

Securing Ubuntu System against brute force attacks

Update on:
Sep 28, 2021

So you have installed minimal setup of Ubuntu, you have setup SSH with public key authentication and disabled password authentication, and you have also allowed only single non-root user to access the server. You also configured a firewall, spending an entire night understanding the rules, and blocked everything except a few required ports. Now does this mean that your server is secured and you are free to take a nice sound sleep? Nope.

Servers are exposed to the public network, and the SSH daemon itself, which is probably the only service open, and can be vulnerable to attacks. If you monitor the application logs and access logs, you can find repeated systematic login attempts that represent brute force attacks.

Fail2ban is a service that can help you monitor logs in real time and modify iptables rules to block suspected IP addresses. It is an intrusion-prevention framework written in Python. It can be set to monitor logs for SSH daemon and web servers. In this recipe, we will discuss how to install and configure fail2ban.

Prerequisites

You will need access to a root account or an account with similar privileges.

Secure Ubuntu against brute force attacks:

Follow these steps to secure against brute force attacks:

  • Fail2ban is available in the Ubuntu package repository, so we can install it with a single command, as follows:
[et_pb_dmb_code_snippet code=”JCBzdWRvIGFwdC1nZXQgdXBkYXRlIAokIHN1ZG8gYXB0LWdldCBpbnN0YWxsIGZhaWwyYmFu” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBzdWRvIGFwdC1nZXQgdXBkYXRlIAokIHN1ZG8gYXB0LWdldCBpbnN0YWxsIGZhaWwyYmFu[/et_pb_dmb_code_snippet]
  • Create a copy of the fail2ban configuration file for local modifications:
[et_pb_dmb_code_snippet code=”JCBzdWRvIGNwIC9ldGMvZmFpbDJiYW4vamFpbC5jb25mIC9ldGMvZmFpbDJiYW4vamFpbC5sb2NhbA==” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBzdWRvIGNwIC9ldGMvZmFpbDJiYW4vamFpbC5jb25mIC9ldGMvZmFpbDJiYW4vamFpbC5sb2NhbA==[/et_pb_dmb_code_snippet]
  • Open a new configuration file in your favorite editor:
[et_pb_dmb_code_snippet code=”JCBzdWRvIG5hbm8gL2V0Yy9mYWlsMmJhbi9qYWlsLmxvY2Fs” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBzdWRvIG5hbm8gL2V0Yy9mYWlsMmJhbi9qYWlsLmxvY2Fs[/et_pb_dmb_code_snippet]
  • You may want to modify the settings listed under the [DEFAULT] section:
[et_pb_dmb_code_snippet code=”IyBUaGUgREVGQVVMVCBhbGxvd3MgYSBnbG9iYWwgZGVmaW5pdGlvbiBvZiB0aGUgb3B0aW9ucy4gVGhleSBjYW4gYmUgb3ZlcnJpZGRlbgojIGluIGFjaCBqYWlsIGFmdGVyd2FyZHMuCgpbREVGQVVMVF0KaWdub3JlaXAgPSAxMjcuMC4wLjEvOApiYW50aW1lID0gNjAwCmZpbmR0aW1lID0gNjAwCm1heHJldHJ5ID0gMw==” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]IyBUaGUgREVGQVVMVCBhbGxvd3MgYSBnbG9iYWwgZGVmaW5pdGlvbiBvZiB0aGUgb3B0aW9ucy4gVGhleSBjYW4gYmUgb3ZlcnJpZGRlbgojIGluIGFjaCBqYWlsIGFmdGVyd2FyZHMuCgpbREVGQVVMVF0KaWdub3JlaXAgPSAxMjcuMC4wLjEvOApiYW50aW1lID0gNjAwCmZpbmR0aW1lID0gNjAwCm1heHJldHJ5ID0gMw==[/et_pb_dmb_code_snippet]
  • Add your IP address to the ignore IP list.

  • Next, set your e-mail address if you wish to receive e-mail notifications of the ban action:

[et_pb_dmb_code_snippet code=”ZGVzdGVtYWlsID0geW91QHByb3ZpZGVyLmNvbSAKc2VuZGVybmFtZSA9IEZhaWwyQmFuIAptdGEgPSBzZW5kbWFpbA==” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]ZGVzdGVtYWlsID0geW91QHByb3ZpZGVyLmNvbSAKc2VuZGVybmFtZSA9IEZhaWwyQmFuIAptdGEgPSBzZW5kbWFpbA==[/et_pb_dmb_code_snippet]
  • Set the required value for the action parameter:
[et_pb_dmb_code_snippet code=”YWN0aW9uID0gJChhY3Rpb25fbXdsKXM=” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]YWN0aW9uID0gJChhY3Rpb25fbXdsKXM=[/et_pb_dmb_code_snippet]
  • Enable services you want to be monitored by setting enable=true for each service. SSH service is enabled by default:
[et_pb_dmb_code_snippet code=”W3NzaF0gCmVuYWJsZSA9IHRydWU=” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]W3NzaF0gCmVuYWJsZSA9IHRydWU=[/et_pb_dmb_code_snippet][et_pb_dmb_code_snippet code=”W3NzaF0KCmVuYWJsZWQgPSB0cnVlCnBvcnQJPSBzc2gKZmlsdGVyCT0gc3NoZApsb2dwYXRoCT0gL3Zhci9sb2cvYXV0aC5sb2cKbWF4cmV0cnkgPSA2″ copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]W3NzaF0KCmVuYWJsZWQgPSB0cnVlCnBvcnQJPSBzc2gKZmlsdGVyCT0gc3NoZApsb2dwYXRoCT0gL3Zhci9sb2cvYXV0aC5sb2cKbWF4cmV0cnkgPSA2[/et_pb_dmb_code_snippet]
  • Set other parameters if you want to override the default settings.

  • Fail2ban provides default configuration options for various applications. These configurations are disabled by default. You can enable them depending on your requirement.

  • Restart the fail2ban service:

[et_pb_dmb_code_snippet code=”JCBzdWRvIHNlcnZpY2UgZmFpbDJiYW4gcmVzdGFydA==” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBzdWRvIHNlcnZpY2UgZmFpbDJiYW4gcmVzdGFydA==[/et_pb_dmb_code_snippet]
  • Check iptables for the rules created by fail2ban:

[et_pb_dmb_code_snippet code=”JCBzdWRvIGlwdGFibGVzIC1T” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBzdWRvIGlwdGFibGVzIC1T[/et_pb_dmb_code_snippet][et_pb_dmb_code_snippet code=”JCBzdWRvIGlwdGFibGVzIC1TCi1QIElOUFVUIEFDQ0VQVAotUCBGT1JXQVJEIEFDQ0VQVAotUCBPVVRQVVQgQUNDRVBUCi1OIGZhaWwyYmFuLXNzaAotQSBJTlBVVCAtcCB0Y3AgLW0gbXVsdGlwb3J0IC0tZHBvcnRzIDIyIC1qIGZhaWwyYmFuLXNzaAotQSBmYWlsMmJhbi1zc2ggLXMgNjEuODIuNzEuMjUyLzMyIC1qIFJFSkVDVCAtLXJlamVjdC13dGggaWNtcC1wb3J0LXVucmVhY2hhYmxlCi1BIGZhaWwyYmFuLXNzaCAtaiBSRVRVUk4=” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBzdWRvIGlwdGFibGVzIC1TCi1QIElOUFVUIEFDQ0VQVAotUCBGT1JXQVJEIEFDQ0VQVAotUCBPVVRQVVQgQUNDRVBUCi1OIGZhaWwyYmFuLXNzaAotQSBJTlBVVCAtcCB0Y3AgLW0gbXVsdGlwb3J0IC0tZHBvcnRzIDIyIC1qIGZhaWwyYmFuLXNzaAotQSBmYWlsMmJhbi1zc2ggLXMgNjEuODIuNzEuMjUyLzMyIC1qIFJFSkVDVCAtLXJlamVjdC13dGggaWNtcC1wb3J0LXVucmVhY2hhYmxlCi1BIGZhaWwyYmFuLXNzaCAtaiBSRVRVUk4=[/et_pb_dmb_code_snippet]
  • Try some failed SSH login attempts, preferably from some other system.

  • Check iptables again. You should find new rules that reject the IP address with failed login attempts:

[et_pb_dmb_code_snippet code=”JCBzdWRvIGlwdGFibGVzIC1TCi1QIElOUFVUIEFDQ0VQVAotUCBGT1JXQVJEIEFDQ0VQVAotUCBPVVRQVVQgQUNDRVBUCi1OIGZhaWwyYmFuLXNzaAotQSBJTlBVVCAtcCB0Y3AgLW0gbXVsdGlwb3J0IC0tZHBvcnRzIDIyIC1qIGZhaWwyYmFuLXNzaAotQSBmYWlsMmJhbi1zc2ggLXMgNjEuODIuNzEuMjUyLzMyIC1qIFJFSkVDVCAtLXJlamVjdC13dGggaWNtcC1wb3J0LXVucmVhY2hhYmxlCi1BIGZhaWwyYmFuLXNzaCAtaiBSRVRVUk4=” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBzdWRvIGlwdGFibGVzIC1TCi1QIElOUFVUIEFDQ0VQVAotUCBGT1JXQVJEIEFDQ0VQVAotUCBPVVRQVVQgQUNDRVBUCi1OIGZhaWwyYmFuLXNzaAotQSBJTlBVVCAtcCB0Y3AgLW0gbXVsdGlwb3J0IC0tZHBvcnRzIDIyIC1qIGZhaWwyYmFuLXNzaAotQSBmYWlsMmJhbi1zc2ggLXMgNjEuODIuNzEuMjUyLzMyIC1qIFJFSkVDVCAtLXJlamVjdC13dGggaWNtcC1wb3J0LXVucmVhY2hhYmxlCi1BIGZhaWwyYmFuLXNzaCAtaiBSRVRVUk4=[/et_pb_dmb_code_snippet]

How Fail2ban works:

Fail2ban works by monitoring the specified log files as they are modified with new log entries. It uses regular expressions called filters to detect log entries that match specific criteria, such as failed login attempts. Default installation of fail2ban provides various filters that can be found in the /etc/fail2ban/filter.d directory. You can always create your own filters and use them to detect log entries that match your criteria.

Once it detects multiple logs matching with the configured filters within the specified timeout, fail2ban adjusts the firewall settings to reject the matching IP address for configured time period.

Check out the article about defending against brute force attacks at http://www.la-samhna.de/library/brutessh.html.

The preceding articles shows multiple options to defend against SSH brute force attacks. As mentioned in the article, you can use iptables to slow down brute force attacks by blocking IP addresses:

[et_pb_dmb_code_snippet code=”JCBpcHRhYmxlcyAtQSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAyMiAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAtbSByZWNlbnQgLS1zZXQgLS1uYW1lIFNTSCAtaiBBQ0NFUFQgCiQgaXB0YWJsZXMgLUEgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLW0gcmVjZW50IC0tdXBkYXRlIC0tc2Vjb25kcyA2MCAtLWhpdGNvdW50IDQgLS1ydHRsIC0tbmFtZSBTU0ggLWogTE9HIC0tbG9nLXByZWZpeCAiU1NIX2JydXRlX2ZvcmNlICIgCiQgaXB0YWJsZXMgLUEgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLW0gcmVjZW50IC0tdXBkYXRlIC0tc2Vjb25kcyA2MCAtLWhpdGNvdW50IDQgLS1ydHRsIC0tbmFtZSBTU0ggLWogRFJPUA==” copy_button=”on” _builder_version=”4.9.4″ _module_preset=”3a2d4e4b-f2ae-4571-a284-ca584312491f” hover_enabled=”0″ sticky_enabled=”0″]JCBpcHRhYmxlcyAtQSBJTlBVVCAtcCB0Y3AgLS1kcG9ydCAyMiAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAtbSByZWNlbnQgLS1zZXQgLS1uYW1lIFNTSCAtaiBBQ0NFUFQgCiQgaXB0YWJsZXMgLUEgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLW0gcmVjZW50IC0tdXBkYXRlIC0tc2Vjb25kcyA2MCAtLWhpdGNvdW50IDQgLS1ydHRsIC0tbmFtZSBTU0ggLWogTE9HIC0tbG9nLXByZWZpeCAiU1NIX2JydXRlX2ZvcmNlICIgCiQgaXB0YWJsZXMgLUEgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLW0gcmVjZW50IC0tdXBkYXRlIC0tc2Vjb25kcyA2MCAtLWhpdGNvdW50IDQgLS1ydHRsIC0tbmFtZSBTU0ggLWogRFJPUA==[/et_pb_dmb_code_snippet]

These commands will create an iptables rule to permit only three SSH login attempts per minute. After three attempts, whether they are successful or not, the attempting IP address will be blocked for another 60 seconds.

Related Posts

How to Install CouchDB on Ubuntu 21.04 Linux Operating System

How to Install CouchDB on Ubuntu 21.04 Linux Operating System

The CouchDB is an open-source database system, managed by the Apache Software Foundation. It is fault-tolerant, and schema-free NoSQL database management system.   CouchDB store data in document or files with JSON data structure. Each document contains fields and...

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

How to Install Nginx on Ubuntu 21.04 Server

How to Install Nginx on Ubuntu 21.04 Server

Nginx is the most potent, open-source, and a high-performance Web server. It can work as a reverse proxy server also, nowadays, is used by most of the most significant websites on the internet. People pronounced “engine x” for Nginx; it is the hot choice for every...

How to Install VirtualBox on Ubuntu 21.04 Linux

How to Install VirtualBox on Ubuntu 21.04 Linux

VirtualBox is an Open Source tool, known as a cross-platform virtualization application or software. It used to run multiple operating systems or virtual machines simultaneously on a single hardware. In this VirtualBox installation tutorial, we will explain the...

Follow Us

Our Communities

More on Ubuntu

The Ultimate Managed Hosting Platform
Load WordPress Sites in as fast as 37ms!

0 Comments

0 Comments

Submit a Comment

Your email address will not be published.

18 − 3 =