Jremi.com

Linux HOWTO

linux guide

now browsing by tag

 
 

Securing SSH & Installing Fail2Ban

fail2ban

This is in my opinion the most important first step for any new linux server.  Now this is just a basic guide on securing your server from any malicious attackers trying to gain access to your server, and I will write another article on further hardening at a later date.

This is a loose continuation of my previous article, How to Installing the LAMP Stack.

SSH is the most common part of server management and is widely used by most website & servers out on the internet, because it is so common it is a easy target for attackers due to server admins failing to configure it properly against attack, so today I am going to teach you some easy ways to protect your own server with these easy steps.

Before we start, make sure your have nano installed on your system, most installs should already have this but if yours does not, go ahead and enter this:

sudo apt install nano -y

Step 1: Creating a login Banner & Motd

This is the most basic of security features meant soley for that 1% of attackers who see your site and think i’m going to try and hack it, or for you to show off to your friends to make your server look official. Whatever your reason it works as a basic first line of defense.

First lets create the initial banner that displays when you are prompted for your username/password

sudo echo "###############################################################
#                 Authorized access only!                     # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#  Your IP, Login Time, Username has been noted and has been  #
#              sent to the server administrator!              #
#                                                             #
#  Excess failed login attempts will result in an automated   #
#    notification being sent to your network administrator    #
#       with your ip, attempts, timestamps, and logs!         #
###############################################################" >/etc/issue.net

or

sudo nano /etc/issue.net

###############################################################
#                 Authorized access only!                     # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#  Your IP, Login Time, Username has been noted and has been  #
#              sent to the server administrator!              #
#                                                             #
#  Excess failed login attempts will result in an automated   #
#    notification being sent to your network administrator    #
#       with your ip, attempts, timestamps, and logs!         #
###############################################################

Ctrl + Y

After that lets create the banner that displays after a successful login

sudo echo"#######################################
#        Welcome to Testserver        #
# If you are not authorized to access #
#  or use this system disconnect now  #
#######################################">/etc/motd

or

sudo nano /etc/motd

#######################################
#        Welcome to Testserver        #
# If you are not authorized to access #
#  or use this system disconnect now  #
#######################################

Ctrl + Y

Step 2: Editing the SSH Servers config

Lets first start off by creating a backup, just in case

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

After thats out of the way lets start editing

sudo nano /etc/ssh/sshd_config

First thing you can do and this is totally optional (I personally do not do it) is change your ssh port.  I plan on doing a writeup in the future on how to install a honeypot which I will link here when I do, and if you want to run that then you would need to change this.  This is also the single easiest thing you can do to cut down somewhere around 90-95% of all the attacks against your ssh port since most attackers port scan blocks of ip for known ports and attack from that list, changing the default port would prevent your server from going on that list.

*NOTE* An SSH Honeypot is a false ssh server that can be configured to accept any username/password and allow the attacker to enter a false/fake filesystem to see what they try.

To change the port look for this line

Port 22

and change 22 to anything you want i.e.

Port 2022

Second this we need to do is disable root login.  This will prevent anyone from being able to login to the server using the root credentials, also no one should be using root let alone be allowed to login using it.

Locate this line

PermitRootLogin prohibit-password

and change it to this

PermitRootLogin no

The next 2 steps are optional, but still recommended

Third, we need to set a max idle time, this will kick users that idle longer then 10 minutes (adjustable).  ClientAliveInterval tells the server to check if the client is still alive every 300 seconds or 5 minutes (adjustable) after no data has been received.  ClientAliveCountMax is the amount of checks it will need to fail before it kicks the client (2×5 minutes).

ClientAliveInterval 300
ClientAliveCountMax 2

Fourth and final step is to limit the users that are allowed to ssh into your server.  This is very convenient if you plan on create users as a way of segregating web apps and/or data. (although there are other better alternatives but who am I to judge)

AllowUsers user1 user2 user3

Step 3: Installing and setting up Fail2Ban

Fail2Ban is great, it is a program that parses log files and bans ip’s that show malicious signs.  For our needs it will parse the ssh servers logs in real time looking for any attackers, once found it will not only ban them, but it can also send you a email notification as well as perform a few more tasks like also banning them from cloudflare, emailing you a whois report and logs, complaining to their ISP, and sending the ip to larger managed blocklists.

Lets start off by installing it

sudo apt install fail2ban -y

After it has been installed lets edit the config

sudo nano /etc/fail2ban/jail.conf

First thing we want to do is change the find time, to me 10 minutes isn’t really that long, but feel free to skip this step.

locate findtime = 600

and change to

findtime = 86400 ; 24 hours

Next we need to configure the notification and action section

Locate destemail = root@localhost

and change it to your own email address (note you may get a lot of emails)

Locate sender = root@localhost

This one doesn't matter as much, but I like to name them fail2ban@server.com, note if you run your own mail server make sure the server is authorized to send emails in your SPF record.

Next locate action = %(action_)s

By itself it will ban without notification

action = %(action_mw)s ; will ban and email you a whois report

action = %(action_mwl)s ; will ban and email you a whois + logs

action = %(action_xarf)s ; will ban and email both you and the ISP logs

action = %(action_cf_mwl)s ; will ban on cloudflare and email you a whois + logs

After you have set the notification details and chosen an action to perform, we can enable services to be monitored.  Right now since we have only have ssh and apache installed we will go ahead and enable those to be monitored as well as repeat offenders.

Locate [sshd] and in the blank space add
enabled = true

Do the same for [selinux-ssh], [apache-auth], and [recidive]

In [recidive] we have a few other things to change

bantime = -1; -1 = forever
findtime = 604800 ; 1 week, feel free to set this to anything you wish but 1 day minimum

We will go over the others in later guides, so don't worry about them now unless you know for a fact you have one of them installed and know what it does.

Ctrl + Y to save

Then

sudo service fail2ban reload to have to use the updated config

Congratulations, you have taken a good first step in securing your server.

I will link my article on further hardening once it is finished if you wish to take your security a few steps further.

Also if you have any topics you would like me to cover, please let me know down in the comments.