Fail2Ban: Protecting SSH Access

Fail2Ban is a log-parsing application that protects Linux systems from brute-force attacks. It scans log files and bans IP addresses that show malicious signs, such as too many password failures.

Step 1: Install Fail2Ban

On Debian/Ubuntu:

sudo apt update
sudo apt install fail2ban

On CentOS/RHEL:

sudo yum install epel-release
sudo yum install fail2ban

Step 2: Enable and Start the Fail2Ban Service

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Step 3: Configure Fail2Ban for SSH

Instead of editing the default config file (/etc/fail2ban/jail.conf), it's best practice to create a local override:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open /etc/fail2ban/jail.local in your editor:

sudo nano /etc/fail2ban/jail.local

Find and modify the [sshd] section as follows:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
bantime = 600
findtime = 600

• enabled: Enables the SSH jail
• maxretry: Number of failed attempts before banning
• bantime: Time (in seconds) the IP is banned (600s = 10 min)
• findtime: Time window for maxretry failures

Step 4: Restart Fail2Ban

Apply the configuration changes:

sudo systemctl restart fail2ban

Step 5: Monitor Fail2Ban

Check the status of the SSH jail:

sudo fail2ban-client status sshd

View currently banned IPs:

sudo iptables -L -n

Optional: Unban an IP

If you accidentally ban yourself, unban with:

sudo fail2ban-client set sshd unbanip <your-ip-address>

Conclusion

Fail2Ban is a lightweight, effective security tool that protects your server from SSH brute-force attacks. Always ensure your configuration files are kept secure, and consider using SSH keys for even stronger protection.