Block Automated SSH Attacks

Systems that are connected to large networks, are going to come under attack at some point, and if your server is on the internet you are under attack all the time. Most of this attack traffic is automated, scripts or bots (automated robots) scanning the network for servers they can connect to and then take control of.

SSH is one of the most commonly used protocols used for managing servers, and you can expect to see a lot of connection attempts to your server over SSH. You can view these from your servers /var/log/auth.log file. This system log file captures a great deal of log information, so you need to filter for the specific term, ‘Authentication’

sudo less /var/log/auth.log | grep Authentication | less

SSH is also an unprotected port, as when you set up a firewall, you would have blocked traffic to most other ports but this one. You have to leave SSH open in order to be able to connect to your own server to administer it.

Note: I have also found that the lastb command shows a history of login attempts, even though the documentation (the man page) for this command says that it should only show a listing of the last logged in users. I have verified that the users it shows have definitely not been logged in to my server

The vast majority of these connections are automated scripts, bots, or other infected servers, scanning the network for servers they can connect to, so don’t take it personally when you see the number of attacks on your server. These bots are trying to brute force their way in, that is connect to the server using a likely username and then cycle their way through a whole list of likely passwords. For this reason, your primary and ultimate defence against these attacks is:

– Don’t log on to your server as root. In fact, disable the ability for the root user to log on over SSH
– Use a long & strong password for your logon

There are also additional steps you can take to limit the number of attempts a bot can try on your server.

Installing & Configuring Fail2Ban

Fail2ban is a program that runs on your server and monitors your SSH connections. It is looking at the IP of the person trying to connect, and how many times they have tried and failed to connect. If there are too many failed connection attempts from an IP, that is a clear indicator that this is an automated attempt, and fail2ban blocks that IP from connecting for a set time period.

To install fail2ban, run

sudo apt-get upgrade
sudo apt-get install fail2ban

Once installed, it is surprisingly easy to configure. The config settings are stored in /etc/fail2ban/jail.conf. It is recommended not to modify this file directly, but instead create a jail.local copy instead and make your changes there.

cd /etc/fail2ban
sudo cp jail.conf jail.local

There are very settings you need to edit in the jail.local file, and they are pretty self explanatory:

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

Finally restart the fail2ban service to load your changes

sudo service fail2ban restart

You can also check how many logins have been unsuccessful, and how many ‘attackers’ are currently being banned using the command below

sudo fail2ban-client status sshd