I recently threw an old Dell laptop installed with Ubuntu Server into the DMZ of my home router/firewall. And since it is placed in the wild west of public internet now, it surely needs some extra protecion as the port 22 is quite vulnerable to brute force attacks. Therefore, the Fail2ban app comes to mind (the key pair authenticaiton method is also on my to-do list). Let’s see the detailed steps below.
Step 1: fail2ban is well kept in Ubuntu’s repository, installation is fairly simple
sudo apt update
sudo apt install fail2ban
Step 2: create a jail.local config file in /etc/fail2ban by using below VIM command or your favorite text editor
sudo vi /etc/fail2ban/jail.local
Since I only need to secure ssh access to this box, I used below settings
[sshd]
enabled = true
maxretry = 3
findtime = 1d
bantime = 4w
ignoreip = 127.0.0.1 192.168.0.1/256
Basically it means that if a bad actor fails 3 times within 1 day, his/her IP will be banned for 4 weeks. And of course, my local IPs are excluded from the blacklist.
Step 3: reboot the fail2ban service by
sudo systemctl restart fail2ban
And also check fail2ban’s service status by
sudo systemctl status fail2ban
Step 4: use fail2ban-client to verify the current “banning” status of monitored service sshd
sudo fail2ban-client status sshd
And let’s see if above stats will show new failed attempts in a couple of days.
Courtesy to this article for extra instructions and more detailed explanation.
Below content is added just a couple of hours after fail2ban’s setup.
Damn, it is already working…
Again, I’ve thrown this malicious IP address into Google and foud out that it’s already been in some well-known halls of shame:
http://antivirus.neu.edu.cn/scan/ssh.php
https://www.blockedservers.com/blocked/ipv4/164.92.182.108/
Leave a Reply