ReadFromFile.com

Fail2Ban: ban every root login attempt

Fail2Ban Sep 12, 2017

If you disabled external root login for ssh, you can ban every root/admin login attempts with fail2ban. These IP's are probably bots trying to log into your server.

What is the reason for this protection?

One security protection is to disable the external root login. If you haven't done this yet, please follow this instruction.

The SSH daemon logs every login attempt by default. You can find this file here: /var/log/secure

A few bots are trying to log into to your server as root or admin and trying common passwords.

This is an abstract of my log:

[...] Did not receive identification string from [...]
[...] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[...] user=root
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2

How can I protect my server?

The examples below will edit the configuration on a native host. To keep changes documented, persistent and reproducible, use a configuration management tool.

Is this your first time using fail2ban? Please visit my previous post for an installation guide and general instructions. If you already installed fail2ban, you are ready to go.

Go to the /etc/fail2ban/filter.d directory. In this directory are all defined filters for fail2ban. You can easily create a new filter:

vi ssh-ban-root.conf

Just Copy&Paste the following code into your new file.

[INCLUDES]
 
before = common.conf
 
[Definition]
 
_daemon = sshd
 
failregex = ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$
 
ignoreregex =
 
[Init]
 
maxlines = 10
 
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

We now have to activate the filter in the file jail.local, which is located in the parent directory.

Just append this at the end of the file.

[ssh-ban-root]
enabled = true
filter = ssh-ban-root
logpath = /var/log/secure
maxretry = 0
bantime = 86400 # 86400 sec = 1 day

Feel free to modify the bantime.

Test your configuration with:

fail2ban-client -d

The last step is to reload the fail2ban configuration:

fail2ban-client reload

This configuration will ban every external root or admin login attempt.

Tested on:

  • OS: CentOS 7
  • Fail2Ban: 0.9.6

Credits:

Tags

Stefan

Howdy! I'm Stefan and I am the main author of this blog. If you want know more, you can check out the 'About me' page.

Recommended for you

Impressum | Data Privacy Policy | Disclaimer
Copyright: The content is copyrighted and may not be reproduced on other websites without permission.