[Guide] Block failed SSH logins on Ubuntu Server, using Fail2Ban

A simple tutorial for Ubuntu Server to block failed SSH login attempts & protect your server from bad actors, using the free and open source software, fail2ban.

Logs parsed from my SSH Server. Here you can see multiple login attempts (sometimes from the same address!) trying to break into my server

SSH Brute force attacks are nasty: Not only are they extremely annoying (at least, when checking the logs) but can also pose a danger to your valuable server and/or infrastructure. With SSH access, an attacker can have full access on your machine and do all kinds of nasty stuff. Most of the times, these attacks are automated and harmless, but still, why risk?

Let’s Start

Using the following commands, we will install fail2ban on our system. 

sudo apt update
sudo apt install fail2ban -y

Then, after installing fail2ban, we need to configure it to monitor for SSH logins and block bad ones. Open nano (or your preferred text editor) and edit this file:

sudo nano /etc/fail2ban/jail.local

In /etc/fail2ban/jail.local, you should copy and paste the following configuration

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip = 127.0.0.1
  • enabled = true enables the configuration for monitoring ssh connections. Leave that set to true
  • port = ssh is your ssh’s server port. If your server is on port 22, you can ignore this option.
  • filter = sshd specifies the filter type. Leave that as is.
  • logpath = /var/log/auth.log is the path from which fail2ban will read the logs of the ssh server
  • maxretry = 3 is how many attempts are allowed before a connection gets blocked. Three requests (3) is a good number, but you can go lower or higher depending on your needs
  • findtime = 300 is the time between login attempts. If in this time (in seconds) there are more attempts than allowed in the maxretry option, then, the connection gets blocked.
  • bantime = 28800 is the time (in seconds) that a connection is banned for. You can increase this as big and short as you wish
  • ignoreip = 127.0.0.1 a list of IP addresses that are ignored and can make as many failed logins as they wish.

Now, save the file and quit the editor. We will need to restart fail2ban to apply the changes. You can restart fail2ban using the following command:

sudo systemctl restart fail2ban

After restarting, we can check the stats of our fail2ban jail using the following command:

sudo fail2ban-client status sshd
Here is the output of the command "sudo fail2ban-client status sshd". You can see how many IPs are blocked currently, in total, how many have failed but have not been blocked, and the total failed attempts of all time.

In the image above, you can see the output of the command. It shows how many IPs are blocked currently, in total, how many have failed but have not been blocked, and the total failed attempts of all time.

How to ban / unban IPs

If you wish to remove an IP Address from the blocklist, you can do so with the following command:

sudo fail2ban-client set sshd unbanip 192.168.1.254

On the other hand, if you wish to add an IP to the blocklist, feel free to do so with the following command:

sudo fail2ban-client set sshd banip 192.168.1.254

Congrats admin! You have successfully configured fail2ban to protect your server! Horayy!

Leave a Reply

Your email address will not be published. Required fields are marked *