Fighting dictionary attacks with Sshutout and Fail2ban
Protection against DoS
SSH has two jails: the one just mentioned and sshd-ddos. This jail is not designed to prevent attempts to guess passwords, but to counter denial-of-service (DoS) attacks that open connections to the SSH daemon without entering a password.The logfile contains messages like this in case of a DoS attack:
sshd: Did not receive identification string from 10.0.0.150
Although you could configure multiple regular expressions per jail, many admins will prefer to assign different ban times for distributed DoS (DDoS) attacks as opposed to failed login attempts. That is, splitting this into the SSH and sshd-ddos categories makes a lot of sense.
The SSH jail is the only one set to enabled = true by default; all other jails – including sshd-ddos – have to be enabled manually.
Protection Scheme
If a user enters the wrong password multiple times, the results are similar to the Sshutout results: An iptables rule is triggered and locks out all connections from the offending computer for the next five minutes (Figure 2).
Protection for other services follows the same pattern (Figure 3). If you have a number of login-protected web pages on your Apache web server, Fail2ban will give you a jail to match,
[apache] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 3
which you need to modify slightly. The Apache version that I run writes error messages to a separate error.log file, and not to access.log. After setting enabled = true, you can enable the jail.
Tip: A more elegant approach than simply restarting the Fail2ban daemon, which could mean disabling active iptables rules, is to send the following command from the Fail2ban client to the server:
fail2ban-client start apache
This command tells the server to add the [apache] entry to the list of active jails. To try this out, I entered a number of invalid passwords, and a new iptables rule was activated.
Infos
- Sshutout: http://www.techfinesse.com/sshutout/sshutout.html
- Fail2ban: http://www.fail2ban.org
« Previous 1 2
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.