fail2ban is a tool in the Ubuntu repository which helps in securing your internet facing ssh port. It uses a simple algorithm to detect repeated login and password attempts to ban the offending host for a period of time. The default installation of fail2ban bans a host for 10 minutes before removing the block from iptables. fail2ban utilizes the native iptables subsystem (host based firewall) on your Ubuntu server so there is nothing additional you need to install. you can install fail2ban with the following command:
apt install fail2ban
Generally on a properly configured host with an internet facing ssh port there are many configurations available to minimize the chances of your system being hacked. Number one among them is choosing good passwords. Another is to configure your firewall (iptables) to only accept connections for hosts you specifically whitelist. Additionally many administrators rely on the old adage ‘security through obscurity’ and move the standard port that ssh lives on, port 22 in this case to some random port.
It’s not always this simple however. There could be a multitude of reasons why or why not some of the above configuration policies or steps are not implemented but chief among them I suspect is ease of administration. Ease of administration and good security unfortunately make for bad bed fellows.
So back to fail2ban. I personally run fail2ban on all my internet facing hosts. It cuts down on some log traffic and gives me some piece of mind knowing that fail2ban will reduce or eliminate all but the most stubborn of hackers.
I have found the default limit of banning a host for 10 minutes a little short. That short time frame may be ineffectual as many of the tools the hackers use are automated. The bad guys might not even notice they’ve been firewalled as when the 10 minutes elapses the automated tools will continue their brute force attack.
Which is why I supplement the default fail2ban rules with rules I discovered from the following website:
That website article contains an additional configuration and an additional ‘jail’ which extends fail2bans default functionality. Furthermore the additional rules give you an idea of how to configure your own rules for specific scenarios and gives you an excellent template to work from. The addition of these rules will give an escalating ban time from 10 minutes all the way up to 1 week which is plenty of time for the hackers to notice they can no longer access your system.
Be vigilant, monitor your hosts and take advantage of tools available to keep your internet facing Ubuntu server safe. And always update and upgrade your system on a regular basis to keep your system applications and tools up to date.