How to Configure Fail2Ban for SSH

Fail2Ban is an intrusion prevention software that helps protect your server from unauthorized access by monitoring log files and banning IP addresses that exhibit malicious behavior. Configuring Fail2Ban specifically for SSH can greatly enhance your server’s security. This tutorial will guide you through the steps to set up and configure Fail2Ban for SSH.

1. Installing Fail2Ban

If you haven’t installed Fail2Ban yet, you can do so with the following commands:

For Ubuntu:

sudo apt update
sudo apt install fail2ban

For CentOS:
```
sudo yum install fail2ban
```

2. Configuring Fail2Ban for SSH

After installing Fail2Ban, the next step is to configure it to monitor SSH. The main configuration file is located at /etc/fail2ban/jail.conf, but it is recommended to create a separate local configuration file to avoid overwriting changes during updates:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now edit the jail.local file:

sudo nano /etc/fail2ban/jail.local

2.1. Enabling the SSH Jail

In the jail.local file, find the section for SSH:

[sshd]
enabled = true

Make sure the enabled directive is set to true. You can also adjust other settings like:

port: Specify the port you are using for SSH (default is 22).
filter: The filter that monitors SSH logs, typically set correctly by default.
logpath: The path to the SSH log file (usually /var/log/auth.log or /var/log/secure).
maxretry: The number of failed login attempts before banning the IP.

Example:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5

3. Starting and Enabling Fail2Ban

Start the Fail2Ban service to enable SSH monitoring:

sudo systemctl start fail2ban

To ensure Fail2Ban starts on boot, run:

sudo systemctl enable fail2ban

4. Verifying the Configuration

To check if Fail2Ban is monitoring the SSH service correctly, run the following command:

sudo fail2ban-client status sshd

This command will display the status of the SSH jail, including the number of currently banned IP addresses.

5. Unbanning an IP Address

If you need to unban an IP address, use:

sudo fail2ban-client set sshd unbanip IP_ADDRESS

Replace IP_ADDRESS with the address you wish to unban.

6. Conclusion

By following this tutorial, you have successfully configured Fail2Ban to protect your SSH service. This setup enhances your server’s defenses against brute-force attacks and unauthorized access attempts. Continue to explore additional features and options within Fail2Ban for robust security management!

Dorian Kane

Author

View All Posts

Leave a Reply Cancel reply

Related News

How to Install and Configure rsyslog

How to Configure Syslog

How to Rotate Logs with logrotate

You may have missed