If you want to protect your Ubuntu server, the first thing you should do is install fail2ban intrusion detection system. fail2ban does is monitor specific log file (in / var / log in) to find the failed login attempts or attacks on the server automatically. When trying to find the leak from an IP address, fail2ban then block the IP address (by adding a new chain to iptables) from gaining access (or attempt further attacks) server.
Believe it or not, fail2ban very easy to install and use, it should be considered essential software for all Linux servers.
I want to show you the process of installing fail2ban on Ubuntu 18.04. Then, I'll show you how to add a monitor to monitor failed SSH login attempts.
Installation
install fail2ban is very simple. Log on to your Ubuntu server and updates / upgrades. Please note that if kernel upgrade during this process, you must restart the server (and therefore run the server when you restart possible). To update and upgrade the server, issue the following command:
sudo APT-GET Update
sudo APT-GET upgrade
After completing the above command, restart the server (if necessary).
You can use a single command to install the fail2ban:
the sudo -Y APT-GET the install the fail2ban
when the command is completed, fail2ban ready. You will want to start with the following command and enable the service:
sudo systemctl Start fail2ban
sudo systemctl enable fail2ban
configuration jail
Next we will configure SSH login attempts a jail. In the / etc fail2ban directory, you will find jail.conf file. Do not edit this file. Instead, we will create a new file jail.local, it will override any similar settings in jail.conf. Our new jail configured to monitor /var/log/auth.log, use fail2ban sshd filter, the SSH port is set to 22, and set the maximum number of retries is 3. To do this, issue the command:
sudo Nano / etc /fail2ban/jail.local
in this new file, paste the following:
[the sshd]
Enabled to true =
Port = 22 is
filter the sshd =
logpath = /var/log/auth.log
maxretry =. 3
save and close the file. Use the following command to restart fail2ban:
sudo systemctl restart fail2ban
In this case, if someone tries to log in via SSH to your Ubuntu server, and failed three times, then stop preventing them from entering its IP address via iptables.
Testing and cancel
You can test to ensure that the new jail through ssh login server failed three failed. After the third attempt fails, the connection will hang. Press [Ctrl] + [c] to exit, and then try to SSH back to the server. You should not be able to use SSH from your IP address to the server.
Then, you can use the following command to cancel the test IP address:
sudo fail2ban the SET-Client sshd unbanip IP_ADDRESS
Where IP_ADDRESS is banned IP addresses.
You should now be able to log back into the server using SSH
