SSH Security with fail2ban on Debian 12

In this tutorial, you will learn how to enhance the security of your Debian 12 server using fail2ban. Fail2ban is a robust security tool written in Python, designed to enhance the security of servers by safeguarding them against unauthorized access and Denial-of-Service (DoS) attacks. It achieves this by actively monitoring log files for specific patterns or events, such as repeated failed login attempts, and taking proactive measures to block IP addresses responsible for these security breaches.

What You Need

  • A Debian 12 server.
  • SSH access to your server.

Problem

You've noticed multiple failed login attempts in "journalctl -u ssh.service", and they are not from authorized users. Here's an example:

1Oct 02 16:23:29 owa sshd[22708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.233.xxx.xxx  user=root
2Oct 02 16:23:29 owa sshd[22705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.233.xxx.xxx  user=root
3Oct 02 16:23:29 owa sshd[22711]: pam_unix(sshd:auth): check pass; user unknown
4Oct 02 16:23:29 owa sshd[22711]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.233.xxx.xxx
5Oct 02 16:23:30 owa sshd[22709]: pam_unix(sshd:auth): check pass; user unknown
6Oct 02 16:23:30 owa sshd[22709]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.233.xxx.xxx
7Oct 02 16:23:30 owa sshd[22712]: pam_unix(sshd:auth): check pass; user unknown
8Oct 02 16:23:30 owa sshd[22712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.233.xxx.xxx

Explanation

  • The remote user might have mistakenly attempted to log in using the wrong server IP address, resulting in only a few login attempts.
  • Your server may be under a brute force attack, with multiple login attempts using various passwords for the "root" user. In this case, the number of login attempts is significantly higher.

Solution

You can secure your SSH login using fail2ban, disable direct root login, or use public key authentication. Fail2ban will temporarily block IP addresses after a defined number of failed login attempts.

Installation of fail2ban

Install fail2ban using the following command:

1apt install fail2ban

Configuring fail2ban

In the "/etc/fail2ban/" directory, you'll find the global configuration file "jail.conf." Do not edit this file, as it gets overwritten during package updates. Instead, copy it to "jail.local" for your own configuration:

1sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
1nano /etc/fail2ban/jail.local

Adjust the settings in "jail.local" to match your requirements. For example, in this tutorial, we increase the ban time to 30 minutes and reduce the maximum retry attempts to 3:

 1[...]
 2[DEFAULT]
 3ignoreip = 127.0.0.1/8 ::1
 4bantime  = 30m
 5findtime  = 10m
 6maxretry = 3
 7[...]
 8
 9[...]
10[sshd]
11enabled = true
12mode   = normal
13port    = ssh
14logpath = %(sshd_log)s
15backend = systemd
16enabled = true
17[...]

Check that you changed the backend to systemd. After making the necessary changes, restart fail2ban to apply the new settings:

1systemctl restart fail2ban.service

After some minutes you can check if ips already have been banned. In our case two ips are banned.

 1fail2ban-client status sshd
 2Status for the jail: sshd
 3|- Filter
 4|  |- Currently failed:	0
 5|  |- Total failed:	0
 6|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
 7`- Actions
 8|- Currently banned:	2
 9|- Total banned:	2
10`- Banned IP list:	218.92.xxx.xxx 61.177.xxx.xxx

Conclusion

By following this tutorial, you have improved the security of your Debian 12 server using fail2ban. You can adjust fail2ban's parameters to suit your specific needs and further enhance your server's security.