Block Automated SSH Attacks

Systems that are connected to large networks, are going to come under attack at some point, and if your server is on the internet you are under attack all the time. Most of this attack traffic is automated, scripts or bots (automated robots) scanning the network for servers they can connect to and then take control of.

SSH is one of the most commonly used protocols used for managing servers, and you can expect to see a lot of connection attempts to your server over SSH. You can view these from your servers /var/log/auth.log file. This system log file captures a great deal of log information, so you need to filter for the specific term, ‘Authentication’

SSH is also an unprotected port, as when you set up a firewall, you would have blocked traffic to most other ports but this one. You have to leave SSH open in order to be able to connect to your own server to administer it.

Note: I have also found that the lastb command shows a history of login attempts, even though the documentation (the man page) for this command says that it should only show a listing of the last logged in users. I have verified that the users it shows have definitely not been logged in to my server

The vast majority of these connections are automated scripts, bots, or other infected servers, scanning the network for servers they can connect to, so don’t take it personally when you see the number of attacks on your server. These bots are trying to brute force their way in, that is connect to the server using a likely username and then cycle their way through a whole list of likely passwords. For this reason, your primary and ultimate defence against these attacks is:

– Don’t log on to your server as root. In fact, disable the ability for the root user to log on over SSH
– Use a long & strong password for your logon

There are also additional steps you can take to limit the number of attempts a bot can try on your server.

Installing & Configuring Fail2Ban

Fail2ban is a program that runs on your server and monitors your SSH connections. It is looking at the IP of the person trying to connect, and how many times they have tried and failed to connect. If there are too many failed connection attempts from an IP, that is a clear indicator that this is an automated attempt, and fail2ban blocks that IP from connecting for a set time period.

To install fail2ban, run

Once installed, it is surprisingly easy to configure. The config settings are stored in /etc/fail2ban/jail.conf. It is recommended not to modify this file directly, but instead create a jail.local copy instead and make your changes there.

There are very settings you need to edit in the jail.local file, and they are pretty self explanatory:

Finally restart the fail2ban service to load your changes

You can also check how many logins have been unsuccessful, and how many ‘attackers’ are currently being banned using the command below