Вы находитесь на странице: 1из 37

20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.

04 | DigitalOcean

Community Log In Sign Up Menu

By: Justin Ellingwood Subscribe Share Contents

How To Protect SSH with Fail2Ban on Ubuntu 14.04


113
Posted May 7, 2014 480k SECURITY FIREWALL LINUX BASICS UBUNTU

Introduction
While connecting to your server through SSH can be very secure, the SSH daemon itself is a service that must be exposed to the internet to function
properly. This comes with some inherent risk and creates a vector of attack for would-be assailants.

Any service that is exposed to the network is a potential target in this way. If you pay attention to application logs for these services, you will often see
repeated, systematic login attempts that represent brute force attacks by users and bots alike.

A service called fail2ban can mitigate this problem by creating rules that can automatically alter your iptables firewall configuration based on a
predefined number of unsuccessful login attempts. This will allow your server to respond to illegitimate access attempts without intervention from you.

In this guide, we'll cover how to install and use fail2ban on an Ubuntu 14.04 server.

Install Fail2Ban on Ubuntu 14.04


The installation process for this tool is simple because the Ubuntu packaging team maintains a package in the default repositories.

First, we need to update our local package index and then we can use apt to download and install the package:

S C R O L L TO TO P

$ sudo apt-get update


https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 1/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

$ sudo apt-get install fail2ban

As you can see, the installation is trivial. We can now begin configuring the utility for our own use.
Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Configure Fail2Ban with your Service
Enter your email address Sign Up
Settings
The fail2ban service keeps its configuration files in the /etc/fail2ban directory. There is a file with defaults called jail.conf .

Since this file can be modified by package upgrades, we should not edit this file in-place, but rather copy it so that we can make our changes safely. In
order for these two files to operate together successfully, it is best to only include the settings you wish to override in the jail.local file. All default
options will be taken from the jail.conf file.

Even though we should only include deviations from the default in the jail.local file, it is easier to create a jail.local file based on the existing
jail.conf file. So we will copy over that file, with the contents commented out, as the basis for the jail.local file. You can do this by typing:

$ awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local

Once the file is copied, we can open the original jail.conf file to see how things are set up by default

$ sudo nano /etc/fail2ban/jail.conf

In this file, there are a few settings you may wish to adjust. The settings located under the [DEFAULT] section will be applied to all services enabled for
fail2ban that are not overridden in the service's own section.

/etc/fail2ban/jail.conf

[DEFAULT]
. . . S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 2/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

ignoreip = 127.0.0.1/8
. . .

Sign
Theup for our newsletter.
ignoreip Get the latest
setting configures tutorials on
the source SysAdmin that
addresses and open sourceignores.
fail2ban
topics. By default, it is configured to not ban any traffic coming from the local

machine.
Enter You could
your email add additional addresses to ignore by adding
address a [DEFAULT] section with an ignoreip setting under it to the jail.local file. You can
Sign Up
add additional addresses by appending them to the end of the directive, separated by a space.

/etc/fail2ban/jail.conf

[DEFAULT]
. . .
bantime = 600
. . .

The bantime parameter sets length of time that a client will be banned when they have failed to authenticate correctly. This is measured in seconds. By
default, this is set to 600 seconds, or 10 minutes.

/etc/fail2ban/jail.conf

[DEFAULT]
. . .
findtime = 600
maxretry = 3
. . .

The next two parameters that you want to pay attention to are findtime and maxretry . These work together to establish the conditions under which a
client is found to be an illegitimate user that should be banned.

The maxretry variable sets the number of tries a client has to authenticate within a window of time defined by findtime , before being banned. With the
S C R O L L TO TO P
default settings, the fail2ban service will ban a client that unsuccessfully attempts to log in 3 times within a 10 minute window.

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 3/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

/etc/fail2ban/jail.conf

[DEFAULT]
. . .
Sign up for our
destemail newsletter. Get the latest tutorials on SysAdmin and open source topics.
= root@localhost
sendername
Enter = Fail2Ban
your email address Sign Up
mta = sendmail
. . .

You will want to evaluate the destemail , sendername , and mta settings if you wish to configure email alerts. The destemail parameter sets the email
address that should receive ban messages. The sendername sets the value of the "From" field in the email. The mta parameter configures what mail
service will be used to send mail. Again, add these to the jail.local file, under the [DEFAULT] header and set to the proper values if you wish to adjust
them.

/etc/fail2ban/jail.conf

[DEFAULT]
. . .
action = $(action_)s
. . .

This parameter configures the action that fail2ban takes when it wants to institute a ban. The value action_ is defined in the file shortly before this
parameter. The default action is to simply configure the firewall to reject traffic from the offending host until the ban time elapses.

If you would like to configure email alerts, add or uncomment the action item to the jail.local file and change its value from action_ to action_mw .
If you want the email to include the relevant log lines, you can change it to action_mwl . Make sure you have the appropriate mail settings configured if
you choose to use mail alerts.

Individual Jail Settings


S C R O L L TO TO P
Finally, we get to the portion of the configuration file that deals with individual services. These are specified by the section headers, like [ssh] .
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 4/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Each of these sections can be enabled by uncommenting the header in jail.local and changing the enabled line to be "true":

/etc/fail2ban/jail.local
Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
[jail_to_enable]

Enter
. . your
. email address Sign Up
enabled = true
. . .

By default, the SSH service is enabled and all others are disabled.

These sections work by using the values set in the [DEFAULT] section as a basis and modifying them as needed. If you want to override any values, you
can do so by adding the appropriate service's section to jail.local and modifying its values.

Some other settings that are set here are the filter that will be used to decide whether a line in a log indicates a failed authentication and the logpath
which tells fail2ban where the logs for that particular service are located.

The filter value is actually a reference to a file located in the /etc/fail2ban/filter.d directory, with its .conf extension removed. These files
contain the regular expressions that determine whether a line in the log is a failed authentication attempt. We won't be covering these files in-depth in this
guide, because they are fairly complex and the predefined settings match appropriate lines well.

However, you can see what kind of filters are available by looking into that directory:

$ ls /etc/fail2ban/filter.d

If you see a file that looks to be related to a service you are using, you should open it with a text editor. Most of the files are fairly well commented and you
should be able to at least tell what type of condition the script was designed to guard against. Most of these filters have appropriate (disabled) sections in
the jail.conf file that we can enable in the jail.local file if desired.
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 5/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

For instance, pretend that we are serving a website using Nginx and realize that a password-protected portion of our site is getting slammed with login
attempts. We can tell fail2ban to use the nginx-http-auth.conf file to check for this condition within the /var/log/nginx/error.log file.

Thisup
Sign is actually already set Get
for our newsletter. up in
thealatest
section called
tutorials on SysAdmin and open sourcein
[nginx-http-auth]

our /etc/fail2ban/jail.conf file. We would just need to uncomment the
topics.
section
Enter yourinemail
the jail.local
address file and flip the enabled parameter to protect our service:
Sign Up

/etc/fail2ban/jail.local

. . .
[nginx-http-auth]

enabled = true
. . .

If you enable this, you'll want to restart your fail2ban service to make sure your rules are constructed correctly.

Putting It All Together


Now that you understand the basic idea behind fail2ban, let's run through a basic setup.

We're going to configure a auto-banning policy for SSH and Nginx, just as we described above. We want fail2ban to email us when an IP is banned.

First, let's install all of the relevant software.

If you don't already have it, you'll need nginx, since we're going to be monitoring its logs, and you'll need sendmail to mail us notifications. We'll also grab
iptables-persistent to allow the server to automatically set up our firewall rules at boot. These can be acquired from Ubuntu's default repositories:

$ sudo apt-get update


$ sudo apt-get install nginx sendmail iptables-persistent
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 6/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Stop the fail2ban service for a moment so that we can establish a base firewall without the rules it adds:

$ sudo service fail2ban stop


Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up
Establish a Base Firewall
When that is finished, we should implement a default firewall. You can learn how to configure an iptables firewall on Ubuntu 14.04 here. We are going to
just create a basic firewall for this guide.

We're going to tell it to allow established connections, traffic generated by the server itself, traffic destined for our SSH and web server ports. We will drop
all other traffic. We can set this basic firewall up by typing:

$ sudo iptables -A INPUT -i lo -j ACCEPT


$ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
$ sudo iptables -A INPUT -j DROP

These commands will implement the above policy. We can see our current firewall rules by typing:

$ sudo iptables -S

Output
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT S C R O L L TO TO P
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 7/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT


-A INPUT -j DROP

Sign
You up
canfor ourthe
save newsletter. Getthat
firewalls so the latest
theytutorials
surviveonaSysAdmin andtyping:
reboot by open source topics.
Enter your email address Sign Up
$ sudo dpkg-reconfigure iptables-persistent

Afterwards, you can restart fail2ban to implement the wrapping rules:

$ sudo service fail2ban start

We can see our current firewall rules by typing:

$ sudo iptables -S

Output
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-ssh -j RETURN
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 8/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

We have our default policy for each of our chains, and then the five base rules that we established. In red, we also have the default structure set up by
fail2ban since it already implements SSH banning policies by default. These may or may not show up at first, since sometimes fail2ban does not add
the structure until the first ban is implemented.
Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Adjusting
Enter the
your email Fail2ban Configuration
address Sign Up

Now, we need to configure fail2ban using the settings we'd like. Open the jail.local file:

$ sudo nano /etc/fail2ban/jail.local

We can set a more severe ban time here. Find and uncomment the [DEFAULT] heading. Under the default heading, change the bantime setting so that
our service bans clients for half an hour:

/etc/fail2ban/jail.local

[DEFAULT]
. . .
bantime = 1800
. . .

We also need to configure our alert email information. First, find the destemail parameter, which should also be under the [DEFAULT] heading. Put in
the email address that you want to use to collect these messages:

/etc/fail2ban/jail.local

[DEFAULT]
. . .
destemail = admin@example.com
. . .
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 9/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

You can set the sendername to something else if you'd like. It's useful to have a value that can be easily filtered using your mail service though, or else
your regular inbox may get flooded with alerts if there are a lot of break in attempts from various places.

Moving
Sign down,
up for our we need to adjust
newsletter. Get the the
latestaction parameter
tutorials on to one
SysAdmin and openof the actions
source
topics. that sends us email. The choices are between action_mw which institutes
the ban
Enter yourand then
email emails us a "whois" report on the offendingSign
address host,
Up
or action_mwl which does the above, but also emails the relevant log lines.

We're going to chose action_mwl because the log lines will help us troubleshoot and gather more information if there are issues:

/etc/fail2ban/jail.local

[DEFAULT]
. . .
action = %(action_mwl)s
. . .

Moving on to our SSH section, if we want to adjust the amount of unsuccessful attempts that should be allowed before a ban is established, you can edit
the maxretry entry. If you are using a port other than "22", you'll want to adjust the port parameter appropriately. As we said before, this service is
already enabled, so we don't need to modify that.

Next, search for the nginx-http-auth section. Uncomment the header and change the enabled parameter to read "true".

/etc/fail2ban/jail.local

. . .
[nginx-http-auth]

enabled = true
. . .

This should be all you have to do this section unless your web server is operating on non-standard ports or if you moved the default error log
S Cpath.
ROLL TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 10/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Restarting the Fail2ban Service


When you are finished, save and close the file.

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Now, start or restart your fail2ban service. Sometimes, it's better to completely shut down the service and then start it again:
Enter your email address Sign Up

$ sudo service fail2ban stop

Now we can restart it by typing:

$ sudo service fail2ban start

It may take a few moments for all of your firewall rules to be populated. Sometimes, the rules are not added until the first ban of that type is instituted.
However, after a time, you can check the new rules by typing:

$ sudo iptables -S

Output
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-nginx-http-auth
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
S C R O L L TO TO P
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 11/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-A INPUT -j DROP
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-ssh -j RETURN

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
The your
Enter lines email
in redaddress
are the ones that our fail2ban policies have Sign
created.
Up Right now, they are just directing traffic to new, almost empty chains and then letting
the traffic flow right back into the INPUT chain.

However, these new chains are where the banning rules will be added.

Testing the Banning Policies


From another server, one that won't need to log into your fail2ban server with, we can test the rules by getting our second server banned.

After logging into your second server, try to SSH into the fail2ban server. You can try to connect using a non-existent name for instance:

local$ ssh blah@fail2ban_server_IP

Enter random characters into the password prompt. Repeat this a few times. At some point, the fail2ban server will stop responding with the Permission
denied message. This signals that your second server has been banned from the fail2ban server.

On your fail2ban server, you can see the new rule by checking our iptables again:

$ sudo iptables -S

Output
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT S C R O L L TO TO P
-N fail2ban-nginx-http-auth

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 12/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
Sign up for-m
-A INPUT ourconntrack
newsletter. Get the latest
--ctstate tutorials on SysAdmin and
RELATED,ESTABLISHED -j open source topics.
ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Enter your email address Sign Up
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-ssh -s 203.0.113.14/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN

As you can see in the highlighted line, we have a new rule in our configuration which rejects traffic to the SSH port coming from our second server's IP
address. You should have also gotten an email about the ban in the account you configured.

Conclusion
You should now be able to configure some basic banning policies for your services. Fail2ban is very easy to set up, and is a great way to protect any kind
of service that uses authentication.

If you want to learn more about how fail2ban works, you can check out our tutorial on how fail2ban rules and files work.

For information about how to use fail2ban to protect other services, try these links:

How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04

How To Protect an Apache Server with Fail2Ban on Ubuntu 14.04

By: Justin Ellingwood Upvote (113) Subscribe Share

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 13/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Get started on DigitalOcean with free $10 credit


Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Youve
Enter yourread five
email tutorials on DigitalOcean this week and Sign
address are well
Up on your way to managing your infrastructure. Test your newfound knowledge by
trying out DigitalOcean with $10 in free credit.

CREATE A FREE ACCOUNT

Related Tutorials
How To Test your Firewall Configuration with Nmap and Tcpdump
An Introduction to Let's Encrypt
How to Install Bro on Ubuntu 16.04
A Comparison of Let's Encrypt, Commercial and Private Certificate Authorities, and Self-Sign...
How To SSH Securely with Kryptonite on DigitalOcean

74 Comments

S C R O L L TO TO P
Leave a comment...

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 14/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up

Log In to Comment

brandon- May 9, 2014

0 I've been considering fail2ban but am unsure if I really need it. I have disabled password login and setup my iptable rules which are below:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT

I installed fail2ban, and after it inserted its rules, my iptables now look like this:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-nginx-http-auth
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth S C R O L L TO TO P

-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh


https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 15/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Sign-Aup for our
INPUT newsletter.
-p tcp Get the443
-m tcp --dport latest-jtutorials
ACCEPT on SysAdmin and open source topics.
-Ayour
Enter INPUT -p tcp
email -m state --state NEW -m tcp --dport 22 -j ACCEPT
address Sign Up
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-ssh -j RETURN

I'm guessing there is some redundancy/overkill now. Thoughts?

jellingwood MOD May 9, 2014

0 Hi brandon:

Looking at your configuration, I would say that fail2ban is still going to be useful for you. Your first configuration that you posted above drops connection
attempts that are not directed to port 80, 443, or 22 (as well as allowing local connections).

However, the point of fail2ban is to ban people who repeatedly fail to authenticate. This means that if someone is attempting to log into SSH, they will be
banned after a few attempts, causing them to move on. This rule would be added to the `fail2ban-ssh` chain prior to the `-A fail2ban-ssh -j RETURN` rule.

While this might not seem like a big deal considering that you have already disabled password logins through the sshd config file, it will help keep your
logs clean. This can be incredibly useful when you are trying to analyze your logs in case of a problem by cutting down on the background noise.

Also, with the Nginx, the Auth_Basic module that provides authentication doesn't have the functionality to limit attempts. If you have sections of your site
protected by password authentication, you probably will benefit from a service like fail2ban limiting the number of authentication attempts.

In general though, this is up to you and if you feel that fail2ban is not providing value, you do not have to use it. However, in my testing, it doesn't use many
resources, so it may be worth it to keep it around just as an extra level of protection.

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 16/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

brandon- May 9, 2014


0 Thank you very much. I'm happy to use fail2ban, but am worried that it might not play nice with my current iptables rules. If the above config (my rules +
fail2ban rules) looks good, please let me know. Specifically I was wondering if:

SignThese
up forrules:
our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh

make these rules irrelevant:

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT


-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

By the way, your tutorials have been great and I've learn a lot from them!

jellingwood MOD May 9, 2014

0 Hey brandon:

No, those lines will do different things. Hopefully I can explain why that is.

With your original configuration, a packet will be compared to each of the rules in your INPUT chain. At the end of your INPUT chain, you have a rule to
drop any traffic that hasn't matched so far. That's why before that rule, you needed the original lines that explicitly allow generic traffic aimed at your web
server and ssh daemon respectively. These will catch the web and ssh traffic and allow it to pass before it gets dropped.

The fail2ban rules that are added initially simply do one thing: at the very beginning of the INPUT chain, they will temporarily divert generic traffic aimed at
those services to a new chain. These new chains are empty at the beginning except for one rule, which just hands control back to the INPUT chain, where
it will continue on down the line, just like normal. These packets will still be dropped if they reach the end of the INPUT chain, just like they used to, so your
S C R O L L TO TO P
original rules for the web server and ssh daemon are still necessary.

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 17/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

When a client is banned for failing to authenticate, fail2ban adds a new rule to the new fail2ban-* chain. The new rule checks whether the traffic is coming
from the banned host. If it matches, the packets are dropped. If the traffic doesn't match, it reaches the rule that returns the packet to the INPUT chain
where it continues as described above.
Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Soyour
Enter all that theaddress
email initial fail2ban lines do is create an extra loop where
Sign Up additional checks can be made to deny specific clients. The flow is always returned to
the main INPUT chain for traffic not matching a banned client. It doesn't make any decision on the fate of the packet if it doesn't match the ban list. That is
left to the rules in your INPUT chain. The key rule to understand here is the `-j RETURN` rule at the bottom of the new chains, which tell the packet to
continue where it left off in the original INPUT chain.

luciano.longo May 15, 2014

0 Great tutorial, as always!


But I'm having a problem with fail2ban, when trying to get banned, I don't see any modification in my iptables rules. I use a non-standard ssh port, let's say
4422, when I changed that configuration in the jail.local the fail2ban rule no longer has the "-j fail2bah-ssh" at the end, I don't know if this has anything to
do with the issue.

Here are my iptable rules:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 4422
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4422 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-ssh -j RETURN

Any ideas?

Thanks! S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 18/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

dconn6 May 18, 2014

0 Thanks
Sign up forfor
ourthe
tutorial. I have just joined Digital Ocean and didn't realise how many useful tutorials it has.
newsletter. Get the latest tutorials on SysAdmin and open source topics.

Enter your quite


I don't emailget
address Sign evidently
the mta = sendmail directive. For this to work, Up you don't need to install sendmail. I thought that you did, but I didn't want to use
sendmail, so I installed postfix and had fun configuring it. But, fail2ban really didn't like me using postfix as the mta. I can post the error, but right now, I am
just interested in generalisations, and I guess I can just go ahead and uninstall postfix, since fail2ban works without it anyway.

By the way, I configured postfix to only deal with local mail, as in mail originating on my machine only and delivered to root@localhost only.

asb MOD May 19, 2014

0 @dconn6: postfix also installs a sendmail command. Take a look at "man sendmail" On a system using postfix, it will say "sendmail - Postfix to Sendmail
compatibility interface" So even if you're using postfix, just have sendmail for the mta directive.

garsoltero May 22, 2014

0 Thank you!

I follows the tutorial and worked perfectly. However i am not sure what i did but now i try to trigger the rule by attempting failed logins for several times
and it is not generating the rule that blocks the ip.
Then i notice i got a notification. It mentioned that an ip attempted 37 times. Until then it generated the rule, blocked the ip and sent the notification. Why is
it allowing so many attempts when the configuration I set was for 4 retries?

How can i fix this?

Thank you

asb MOD May 22, 2014


S C R O L L TO TO P
0
@garsoltero: Make sure you restart it after making any configuration changes: sudo service fail2ban restart Also make sure findtime isn't set too
low.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 19/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean
low.

hello646431 July 7, 2014


Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
@andrewSB: After integrating fail2ban, I can no longer access my site with https, any ideas as to what might be the issue?
0
Enter your email address Sign Up
'sudo iptables -S' returns this:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-nginx-http-auth
-N fail2ban-ssh
-N udp-flood
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p udp -j udp-flood
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-ssh -j RETURN
-A udp-flood -p udp -m limit --limit 50/sec -j RETURN
-A udp-flood -j LOG --log-prefix "UDP-flood attempt: "
-A udp-flood -j DROP

Constantine

rbgoksoy July 31, 2014


S C R O L L TO TO P
1 Thanks for this article!

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 20/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

I wonder why are we editing jail.local file instead of jail.conf? We copied local file from conf file and it started to be main configuration file!

How does it work?

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address
JonPohlner April 1, 2015 Sign Up
0 I was stuck on the same issue.. it's just a local override, but if you left it in the .conf package updates would change your work without you knowing it. And yet it
sort of does become the main file, because it's local it know's to take precedence over the package updates that didn't get a chance to change it.

fideloper August 1, 2014

0 According to the Ubuntu man page on fail2ban, we can also add jail configurations into /etc/fail2ban/jail.d in addition to creating a jail.local file.

mattnz September 19, 2014

0 After following these instructions I tested fail2ban but it would not ban me after multiple wrong passwords. I need to do this also:

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Count_.22Last_message_repeated_N_times.22_correctly

"It seems Fail2ban undercounts entries from syslog files such as /var/log/syslog and /var/log/auth.log, since it doesn't seem to be aware that syslog may log "last
message repeated N times" instead of the full message. For example, if an ssh attack occurs several times in quick succession, there may be only one entry "Failed
password for someuser from 1.2.3.4 port 4307 ssh2" followed by "last message repeated 10 times".

GNU/Linux distributions rsyslog solution:


Tested in Ubuntu 10.04, should also work Centos/RHEL 5.9 or 6.X if rsyslog is used.

1.open /etc/rsyslog.conf
2.find RepeatedMsgReduction and change on to off
3.After that, restart rsyslog and fail2ban"

r.l.lopez66 October 9, 2014

0 Thank you for the great tutorial. However, I ran into a problem. I had installed the "one click Wordpress install" and then installed Fail2ban using your instructions.
S C R O L L TO TO P
Now when I try to login to my site, I get a "Welcome to nginx!" welcome page instead of wordpress. Please help.

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 21/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

ErikG October 12, 2014

Sign
0 up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
LEMP+SSL-EV droplet. Just awesome learn all this in 3 weeks!
Hi, this is my first post in this community and I must say that all the available tutorials here were very useful and they taught me to configure my own Magento

Enter your email address Sign Up


Until now it seems that all is running fine, and I'm using these iptables+fail2ban config:

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log

[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx/access*.log
bantime = 600
maxretry = 6

[nginx-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/nginx/access*.log
bantime = 86400
maxretry = 1

Login filter /etc/fail2ban/filter.d/nginx-login.conf: Blocks IPs that fail to authenticate using web application's log in page Scan access log for HTTP 200 +
POST /sessions => failed log in
[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1.." 200
ignoreregex =

-P INPUT ACCEPT S C R O L L TO TO P

-P FORWARD ACCEPT
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 22/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-P OUTPUT ACCEPT
-N fail2ban-BadBots
-N fail2ban-NoLoginFailures
-N fail2ban-nginx-http-auth
Sign-Nup for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
fail2ban-ssh
-N fail2ban-ssh-ddos

Enter your email address
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
Sign Up
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-NoLoginFailures
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-http-auth
-A INPUT -p tcp -m multiport --dports 28888 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28888 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-BadBots -j RETURN
-A fail2ban-NoLoginFailures -j RETURN
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN

My questions/doubts are:

Is This enough to mitigate the majority of attacks? Or, should I implement something more?
Is there any redundancy with "my new" NoLoginFailures and nginx-http-auth default filter?

I'm asking your advice 'cause I'm kinda noob about this...
Just kidding, I'm entirely noob... LOL

Thanks a lot!

S C R O L L TO TO P
yoosefi October 13, 2014

0
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 23/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean
0 There are various reasons why you shouldn't DROP, but the most important is that the packets aren't actually dropped, they are replied to in a way that says the port
is open but unavailable due to timeout. On the other hand, REJECT will reply that the port is closed, which is less helpful to attackers. DROP lets the attacker know
the network is working and there is something behind the port, REJECT will make the attacker think their network is broken or there is nothing there. Fail2Ban uses
REJECT by default, which is good.
Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up
yoosefi October 13, 2014

0 I wrote a thing on how to enable rate-limiting for nginx here.

After doing that, you can have fail2ban check the rate logs and ban for rate limit pests.

This will deter all web brute forcing.

In /etc/fail2ban/jail.local :

[nginx-ratelimit]
enabled = true
port = http,https
filter = nginx-ratelimit
logpath = /var/log/nginx/error.log
maxretry = 10

Create /etc/fail2ban/filter.d/nginx-ratelimit :

[Definition]
failregex = ^.* limiting requests, excess: .*, client: <HOST>, .*$
ignoreregex =

Then run service fail2ban reload

How To Optimize Nginx Configuration


by Alex Kavon
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 24/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Nginx is a fast and lightweight alternative to the sometimes overbearing Apache 2. However, Nginx just like any kind of
server or software must be tuned to help attain optimal performance. Here's how to optimize Nginx configuration.

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up
ademers November 25, 2014

0 Question:

When I run sudo apt-get install nginx sendmail iptables-persistent , I get a window with the following:

Current iptables rules can be saved to the configuration file /etc/iptables/rules.v4. These rules will then be loaded automatically during system startup.

Rules are only saved automatically during package installation. See the manual page of iptables-save(8) for instructions on keeping the rules file up-to-date.

Save current IPv4 rules?


<Yes> <No>

What is recommended?

Many thanks,
Andrea

TenHourGuy November 28, 2014

1 I said "yes" but if you read my comment, I ran into some really big problems with iptables so maybe you should try "no" but I have no idea to be honest. :P

TenHourGuy November 28, 2014

0 I'm stuck on the "Establish a Base Firewall" part. Whenever I enter anything to do with iptables, I get the following message:

modprobe: ERROR: ../libkmod/libkmod.c:556 kmod_search_moddep() could not open moddep file '/lib/modules/3.13.0-36-generic/modules.dep.bin'
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded. S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 25/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

If I try apt-get install insmod then it says the package cannot be found. I'm on Ubuntu 14.04, just to clarify.

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
mateuslopes November 30, 2014

Enter your email address Sign Up
0 I am stucked with the same problem too! :(
I also answered YES to both ipv4 and ipv6 rules on iptables-persistent installation.
I don't really know what to do.

mateuslopes November 30, 2014

0 Now I solved my problem with the link below!


https://www.digitalocean.com/community/questions/error-while-allowing-ssh-connections-on-ufw

rbgoksoy December 11, 2014

0 Hello,

I hope someone is looking there. I have got some problems.

I configured my banning policy and SSH section like this:

# "bantime" is the number of seconds that a host is banned.


bantime = 60

# A host is banned if it has generated "maxretry" during the last "findtime"


# seconds.
findtime = 15
maxretry = 2

[ssh] S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 26/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

enabled = true
port = ssh-4444
filter = sshd
logpath = /var/log/auth.log
Sign up for our =newsletter.
maxretry 2 Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up
But when i try to test it, fail2ban does not banning login attempt. Here is my fail2ban log:

2014-12-11 21:56:25,182 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-12-11 21:56:25,183 fail2ban.jail : INFO Creating new jail 'ssh'
2014-12-11 21:56:25,199 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2014-12-11 21:56:25,219 fail2ban.jail : INFO Initiated 'pyinotify' backend
2014-12-11 21:56:25,221 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-12-11 21:56:25,221 fail2ban.filter : INFO Set maxRetry = 2
2014-12-11 21:56:25,222 fail2ban.filter : INFO Set findtime = 15
2014-12-11 21:56:25,223 fail2ban.actions: INFO Set banTime = 60
2014-12-11 21:56:25,253 fail2ban.jail : INFO Creating new jail 'ssh-ddos'
2014-12-11 21:56:25,253 fail2ban.jail : INFO Jail 'ssh-ddos' uses pyinotify
2014-12-11 21:56:25,256 fail2ban.jail : INFO Initiated 'pyinotify' backend
2014-12-11 21:56:25,257 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-12-11 21:56:25,258 fail2ban.filter : INFO Set maxRetry = 2
2014-12-11 21:56:25,258 fail2ban.filter : INFO Set findtime = 15
2014-12-11 21:56:25,259 fail2ban.actions: INFO Set banTime = 60
2014-12-11 21:56:25,265 fail2ban.jail : INFO Jail 'ssh' started
2014-12-11 21:56:25,268 fail2ban.jail : INFO Jail 'ssh-ddos' started
2014-12-11 21:56:25,289 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh-4444 -j fail2ban-ssh returned 200
2014-12-11 22:14:51,679 fail2ban.actions: WARNING [ssh] Ban 217.131.215.136
2014-12-11 22:14:51,685 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:14:51,686 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2014-12-11 22:14:51,693 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh S C R O L L TO TO P
iptables -A fail2ban-ssh -j RETURN

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 27/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

iptables -I INPUT -p tcp -m multiport --dports ssh-4444 -j fail2ban-ssh returned 200


2014-12-11 22:14:51,696 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:14:51,696 fail2ban.actions.action: CRITICAL Unable to restore environment
2014-12-11 22:15:51,765 fail2ban.actions: WARNING [ssh] Unban 217.131.215.136
Sign up for our newsletter.
2014-12-11 Get the
22:15:51,769 latest tutorials on SysAdmin andERROR
fail2ban.actions.action: open source topics. -n
iptables
-L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:15:51,769 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
Enter your email address Sign Up
2014-12-11 22:15:51,776 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh-4444 -j fail2ban-ssh returned 200
2014-12-11 22:15:51,779 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:15:51,779 fail2ban.actions.action: CRITICAL Unable to restore environment
2014-12-11 22:25:34,472 fail2ban.actions: WARNING [ssh] Ban 217.131.215.136
2014-12-11 22:25:34,480 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:25:34,481 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2014-12-11 22:25:34,497 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh-4444 -j fail2ban-ssh returned 200
2014-12-11 22:25:34,500 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:25:34,500 fail2ban.actions.action: CRITICAL Unable to restore environment
2014-12-11 22:25:45,087 fail2ban.server : INFO Stopping all jails
2014-12-11 22:25:45,513 fail2ban.actions: WARNING [ssh] Unban 217.131.215.136
2014-12-11 22:25:45,517 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:25:45,517 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2014-12-11 22:25:45,524 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh-4444 -j fail2ban-ssh returned 200
2014-12-11 22:25:45,527 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned 100
2014-12-11 22:25:45,527 fail2ban.actions.action: CRITICAL Unable to restore environment
2014-12-11 22:25:45,530 fail2ban.jail : INFO Jail 'ssh' stopped
2014-12-11 22:25:46,491 fail2ban.jail : INFO Jail 'ssh-ddos' stopped
2014-12-11 22:25:46,495 fail2ban.server : INFO Exiting Fail2ban
2014-12-11 22:25:47,017 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-12-11 22:25:47,018 fail2ban.jail : INFO Creating new jail 'ssh'
2014-12-11 22:25:47,036 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2014-12-11 22:25:47,053 fail2ban.jail : INFO Initiated 'pyinotify' backend S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 28/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

2014-12-11 22:25:47,054 fail2ban.filter : INFO Added logfile = /var/log/auth.log


2014-12-11 22:25:47,055 fail2ban.filter : INFO Set maxRetry = 2
2014-12-11 22:25:47,055 fail2ban.filter : INFO Set findtime = 15
2014-12-11 22:25:47,056 fail2ban.actions: INFO Set banTime = 60
Sign up for our newsletter.
2014-12-11 Get the
22:25:47,086 latest tutorials on SysAdmin
fail2ban.jail : INFO andCreating
open source topics.
new jail
'ssh-ddos'
2014-12-11 22:25:47,086 fail2ban.jail : INFO Jail 'ssh-ddos' uses pyinotify
Enter your email address Sign Up
2014-12-11 22:25:47,089 fail2ban.jail : INFO Initiated 'pyinotify' backend
2014-12-11 22:25:47,090 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-12-11 22:25:47,091 fail2ban.filter : INFO Set maxRetry = 2
2014-12-11 22:25:47,092 fail2ban.filter : INFO Set findtime = 15
2014-12-11 22:25:47,092 fail2ban.actions: INFO Set banTime = 60
2014-12-11 22:25:47,098 fail2ban.jail : INFO Jail 'ssh' started
2014-12-11 22:25:47,101 fail2ban.jail : INFO Jail 'ssh-ddos' started
2014-12-11 22:25:47,111 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh-4444 -j fail2ban-ssh returned 200

Here iptables -S :

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N fail2ban-ssh
-N fail2ban-ssh-ddos
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward

-N ufw-before-input S C R O L L TO TO P

-N ufw-before-logging-forward
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 29/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
Sign up
-N for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
ufw-logging-deny
-N ufw-not-local
Enter your email address Sign Up
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward

-A FORWARD -j ufw-after-logging-forward S C R O L L TO TO P

-A FORWARD -j ufw-reject-forward
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 30/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
Sign up
-A for our newsletter.
OUTPUT Get the latest tutorials on SysAdmin and open source topics.
-j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
Enter your email address Sign Up
-A OUTPUT -j ufw-track-output
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT S C R O L L TO TO P

-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT


https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 31/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
Sign up
-A for our newsletter. Get
ufw-before-output -o the
lolatest tutorials on SysAdmin and open source topics.
-j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Enter your email address Sign Up
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 4444 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

shannond June 3, 2015

0 It's been a long time since you wrote, and I'm a noob, but on the off chance this is still helpful, I think your problem is here:
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 32/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

[ssh]

enabled = true
port
Sign up for = ssh-4444
our newsletter.
filter
Get the latest tutorials on SysAdmin and open source topics.
= sshd

Enter yourlogpath
email address
= /var/log/auth.log Sign Up
maxretry = 2

I don't think fail2ban knows what to do with ssh-4444. The iptables seems to reflect an ssh port of 22 from fail2ban. I suspect that changing ssh-4444 to 4444 will
start to fix your problem.

Load More Comments

This work is licensed under a Creative


Commons Attribution-NonCommercial-
ShareAlike 4.0 International License.


Copyright 2017 DigitalOcean Inc.
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 33/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Community Tutorials Questions Projects Tags Newsletter RSS

Distros & One-Click Apps Terms, Privacy, & Copyright Security Report a Bug Get Paid to Write Shop
Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 34/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
Enter your email address Sign Up

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 35/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 36/37
20.07.2017 How To Protect SSH with Fail2Ban on Ubuntu 14.04 | DigitalOcean

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 37/37