Intrusion Prevention with Fail2Ban

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper. Wikipedia

To assist in further locking down the exposed SSH endpoint I manage,I decided to use the tool Fail2Ban as it supports many of the services (sshd, apache, etc) that can be integrated with IPTables.

Installing Fail2Ban is simple and can be completed with a few simple steps, assuming you have su or root access to the system you are managing.

Here are steps you might follow to accomplish this:

Log into you system and issue the following command and update

sudo apt-get update
sudo apt-get upgrade -y

Next install the Fail2Ban software via apt-get

sudo apt-get install fail2ban

Edit Fail2Ban to work with your SSH configuration by opening ‘/etc/fail2ban/jail.local’ file with the following command:

sudo nano /etc/fail2ban/jail.local

Add the following to the file /etc/fail2ban/jail.local

[ssh]
 
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

Restart Fail2Ban service or reboot your host

sudo service fail2ban restart

To view banded IP’s you can use IPTables for this.
Use the following command:

sudo iptables -L -n --line

At the end of the day a secure password will always protect you as this solution will only slow the bad actor down, it doesn’t stop them.