How To Protect SSH with fail2ban on Ubuntu 12.04 About Fail2Ban

8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
MENU
How To Protect SSH with fail2ban on Ubuntu 12.04
T AGGE D I N: LI NU X B ASI CS, U B U NT U , SE CU RI T Y
SHARE
AU T H OR: E T E L SVE RDLOV • PU B LI SH E D: JU N 14, 2012 • U PDAT E D: JU N 10,
2014
About Fail2Ban
Servers do not exist in isolation, and those virtual private servers with only the
most basic SSH configuration can be vulnerable to brute force attacks.
fail2ban provides a way to automatically protect virtual servers from malicious
behavior. The program works by scanning through log files and reacting to
offending actions such as repeated failed login attempts.
Step One—Install Fail2Ban
Use apt-get to install Fail2Ban
sudo apt-get install fail2ban
Step Two—Copy the Configuration File
The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The
configuration work should not be done in that file, however, and we should
instead make a local copy of it.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you can make all of your changes within the new
jail.local file. Many of possible services that may need protection are in the file
already. Each is located in its own section, configured and turned off.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
1/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
Step Three—Configure the Defaults in Jail.Local
Open up the the new fail2ban configuration file:
sudo nano /etc/fail2ban/jail.local
The first section of defaults covers the basic rules that fail2ban will follow. If
you want to set up more nuanced protection on your virtual server, you can
customize the details in each section.
You can see the default section below.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#
This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
Write your personal IP address into the ignoreip line. You can separate each
address with a space. IgnoreIP allows you white list certain IP addresses and
make sure that they are not locked out. Including your address will guarantee
that you do not accidentally ban yourself from your own server.
The next step is to decide on a bantime, the number of seconds that a host
would be blocked from the VPS if they are found to be in violation of any of
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
2/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
the rules. This is especially useful in the case of bots, that once banned, will
simply move on to the next target. The default is set for 10 minutes—you may
raise this to an hour (or higher) if you like.
Maxretry is the amount of incorrect login attempts that a host may have
before they get banned for the length of the ban time.
You can leave the backend as auto.
Destemail is the email that alerts get sent to. If you have a mail server set up
on your droplet, Fail2Ban can email you when it bans an IP address.
Additional Details—Actions
The Actions section is located below the defaults. The beginning looks like
this:
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
[...]
Banaction describes the steps that fail2ban will take to ban a matching IP
address. This is a shorter version of the file extension where the config if is
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
3/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
located. The default ban action, "iptables-multiport", can be found at
/etc/fail2ban/action.d/iptables-multiport.conf
MTA refers to email program that fail2ban will use to send emails to call
attention to a malicious IP.
You can change the protocol from TCP to UDP in this line as well, depending
on which one you want fail2ban to monitor.
Step Four (Optional)—Configure the ssh-iptables Section in
Jail.Local
The SSH details section is just a little further down in the config, and it is
already set up and turned on. Although you should not be required to make
to make any changes within this section, you can find the details about each
line below.
[ssh]
enabled
port
filter
logpath
maxretry
=
=
=
=
=
true
ssh
sshd
/var/log/auth.log
6
Enabled simply refers to the fact that SSH protection is on. You can turn it off
with the word "false".
The port designates the port that fail2ban monitors. If you have set up your
virtual private server on a non-standard port, change the port to match the
one you are using:
eg. port=30000
The filter, set by default to sshd, refers to the config file containing the rules
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
4/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
that fail2ban uses to find matches. sshd refers to the
/etc/fail2ban/filter.d/sshd.conf.
log path refers to the log location that fail2ban will track.
The max retry line within the SSH section has the same definition as the
default option. However, if you have enabled multiple services and want to
have specific values for each one, you can set the new max retry amount for
SSH here.
Step Five—Restart Fail2Ban
After making any changes to the fail2ban config, always be sure to restart
Fail2Ban:
sudo service fail2ban restart
You can see the rules that fail2ban puts in effect within the IP table:
sudo iptables -L
By Etel Sverdlov
Related Tutorials
How To Set Up a Firewall Using IP Tables on Ubuntu 12.04
How To Share PHP Sessions on Multiple Memcached Servers on Ubuntu 14.04
How To Install Nginx on CentOS 7
Initial Server Setup with CentOS 7
How To Create an ECC Certificate on Nginx for Debian 7
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
5/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
80 Comments
webadmin November 3, 2012
Cool article.
"If you have a mail server set up on your droplet" - How would we go about enabling this on
Ubuntu?
moisey November 3, 2012
Droplets are what we call virtual servers so it would be the same instructions for any
installation of Ubuntu.
joseph.bouchard November 27, 2012
"Write your personal IP address into the ignoreip line."
-- Are you saying the IP address of my server, or the IP address I am likely to be connecting
from?
Etel Sverdlov November 27, 2012
The IP that you will be connecting from.
naftoligug December 21, 2012
cp and nano commands need sudo.
Etel Sverdlov December 21, 2012
Updated. Thank you
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
6/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
dev December 25, 2012
Does Fail2Ban start automatically when the server reboots?
Etel Sverdlov December 26, 2012
Yes, it does start automatically.
sds357 January 1, 2013
This tutorial didn't work for me until I changed 'backend = auto' to 'backend = polling' on my
ubuntu 12.04 droplet.
langlaislaurent January 18, 2013
"iptables -L" should be "sudo iptables -L"
goyal.nikhil89 January 19, 2013
can fail2ban work with ufw?
ben January 19, 2013
Yes it should be possible.
Fail2ban Actions: The directory /etc/fail2ban/action.d contains different scripts defining
actions which will execute once a filter matches. Only one filter is allowed per service, but it
is possible to specify several actions, on separate lines.
I would start there, but the default is to use iptables and since fail2ban is an automated
solution you can easily use iptables without knowing how it works.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
7/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
agentbullvi January 23, 2013
Goyal,
UFW and iptables-multiport are completely compatible, however UFW will not show you
banned IP addresses. You can still manage your basic firewall with UFW.
If you need to see banned IP addresses you have multiple options.
iptables --list -n | fgrep DROP
or
fail2ban-client status ssh
Either will show you currently banned IP addresses. the fail2ban-client will show you the IP
addresses it is managing (via bantime limits).
Hope that helps.
jcjeffcc January 26, 2013
Shouldn't you sudo mv the .local file to .conf afterwards?
digitalocean January 29, 2013
might want to edit the configs using sudoedit instead of nano, running sudo nano can set
the nano history file to be owned by root which makes for some fun error messages down
the road.
marius.butuc February 16, 2013
"Write your personal IP address into the ignoreip line."
-- any solution if you have dynamic IP, or does that simply defeat the purpose?
neilabatchelor February 25, 2013
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
8/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
+Marius If you use DynDNS (http://dyn.com/dns/) you can get a hostname allocated to your
dynamic address. Most routers have the functionality to update whenever the IP address
changes.
christian March 12, 2013
I just followed these instructions, now in /var/log/fail2ban.log I'm seeing the following lines
hundreds of times:
fail2ban.filter : WARNING Determined IP using DNS Reverse Lookup: na-200-38-7572.static.avantel.net.mx = ['200.38.75.72']
fail2ban.filter : WARNING Determined IP using DNS Reverse Lookup:
demodigitool.gsl.com.mx = ['200.38.75.72']
What does that mean? Is this normal? I don't recognize the IP address.
Thanks
rhetherpei March 22, 2013
Good Tutorial to get started securing my VM.
chris.febian April 21, 2013
is this compatible with nginx by default? or we need to modified it first? I've googling and
found several article about how to make file2ban works with nginx. I got several
configuration and modification that I can't understand >,<
Help me please..??
brandon.dawson May 6, 2013
For users on 12.10, it seems that fail2ban is now shipping with filters for most everything
already built in.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
9/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
cowsun.tech May 24, 2013
I also have a dynamic ip, So I set up an acount with DynDNS..
But how can I now SSH to my droplet using my DynDNS host name - so I can whitelist it in
fail2ban?
I configured my router's DDNS settings successfully, however when I check my SSH access
log after logging in it still shows my dynnamic IP and not my DynDNS hostname.
Kamal Nasser May 24, 2013
@cowsun.tech the ignoreip directive accepts a DNS hostname therefore you can put your
DynDNS host in there.
cowsun.tech May 25, 2013
@Kamal Nasser : Yeah I don't know how to use the dyndns hostname I've setup to access
my droplet.
In the ssh access log it shows my same dynamic IP from my ISP not DynDNS's, and after
each subsequent login the welcome reads:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-virtual x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sat May 25 12:13:09 2013 from 192-XX-XXX-XX.dynamic.myisp.com <-- not my
DynDNS hostname which is what I need to be showing up here?
Kamal Nasser May 25, 2013
@cowsun.tech that's because your IP rDNS resolves to your ISP.
cowsun.tech May 25, 2013
@Kamal Nasser : thanks for clearing this up, so the suggestion up a little higher in a previous
post was incorrect and there is no point of using DynDNS for the purpose of compensating
for a dynamic IP from your ISP http://www.dyncommunity.com/questions/6771/problem-with-nslookup.html
Maybe I can stop wasting my time?
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
10/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
Kamal Nasser May 25, 2013
@cowsun.tech you still need to have your DynDNS host there so fail2ban whitelists your IP
even if it's dynamic.
yangyun June 23, 2013
On restart the message is "Restarting authentication failure monitor fail2ban" , meaning
'Restart succeeded' (not authentication failed).
Kamal Nasser June 23, 2013
@yangyun That is correct. It's restarting fail2ban which is the authentication failure monitor.
:]
brut-net July 26, 2013
To enable the alertmail you not only need to set the destemail, but also change the line
action = %(action_)s
to either
action = %(action_mw)s #(for ban & send an e-mail with whois report to the destemail)
or
action = %(action_mwl)s #(for ban & send an e-mail with whois report and relevant log lines
to the destemail)
german July 27, 2013
Can I install fail2ban after I install iRedMail ? Will it have conflic between the two ?
Tks
Kamal Nasser July 27, 2013
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
11/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
@germanab7: You can follow this official iRedMail entry on installing fail2ban:
http://www.iredmail.org/wiki/index.php?title=Addition/Harden.iRedMail.with.Fail2ban
deekin August 8, 2013
I'm thinking of implementing, but the whitelisting gives me a bit of pause. I do use Dyn on
my laptop and on my main box which is fine, but what if i want to use SSH from my phone?
Since I installed OpenVPN on my server, I guess I could also whitelist my DO IP and just
make sure I am connected before trying SSH from a 3G connection. Thoughts on whether
this would work or not? I don't really feel like "experimenting" with this specific feature :) - I'd
rather know before I go.
Kamal Nasser August 8, 2013
@deekin: It would certainly work. Whitelist your VPN's public IP address and add it to
fail2ban's whitelist. Then you can login to the VPN and then SSH to your droplet.
deekin August 8, 2013
Thank you Kamal! GJ on the techcrunch piece BTW - my pal sent it to me. Don't spend it all
on one place hehe - oh, and bring back receipts please.
deekin August 9, 2013
Shouldn't you sudo mv the .local file to .conf afterwards?
Kamal Nasser August 9, 2013
@deekin: No. Per the manual:
Every .conf file can be overridden with a file named .local. The .conf file
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
12/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
kevin_thulin August 14, 2013
Does fail2ban and UFW start self after a server reboot, or do I need to enable them?
Also, could I check if their both running by:
sudo iptables -L
sudo ufw status
?
Kamal Nasser August 14, 2013
@kevin_thulin: Both of them should start automatically. You can check if they're running by
running
service ufw status
service fail2ban status
mats.gbproject August 20, 2013
Should "eg." be included in the "eg. port=30000"? And should this be written instead of
"port=ssh" or in addition to it?
Kamal Nasser August 21, 2013
@mats.gbproject: No, "e.g." means "for example". It is an abbreviation for the Latin phrase
exempli gratia.
kevin_thulin August 23, 2013
I did a shutdown -h now, to take a snapshot of my droplet.
After that I checked my fail2ban with sudo tail -f /var/log/fail2ban.log and fail2ban-client
status ssh,
Now it says I only have 1 IP adress banned, I used to have 22. And my bantime is "31536000"
So, does fail2ban clear the log file after a reboot?
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
13/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
Also got this message:
2013-08-23 21:25:33 fail2ban.server : INFO Exiting Fail2ban
2013-08-23 21:25:34 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log
for Fail2ban v0.8.6
2013-08-23 21:25:34 fail2ban.jail : INFO Creating new jail 'ssh'
2013-08-23 21:25:34 fail2ban.jail : INFO Jail 'ssh' uses Gamin
2013-08-23 21:25:34 fail2ban.filter : INFO Added logfile = /var/log/auth.log
ppacoi August 26, 2013
Perfect Thanks
weeleetan August 27, 2013
hi,
can i add the section for nginx website also ?
Kamal Nasser August 28, 2013
@weeleetan: What would fail2ban protect you from if you configure it to work with nginx?
weeleetan August 29, 2013
i not sure, i am new and i wish to protect my VPS. Do you have any tips?
Kamal Nasser August 29, 2013
@weeleetan: Setting up fail2ban to work with nginx is redundant and not needed at all. You
should also firewall your droplet:
https://www.digitalocean.com/community/articles/how-to-setup-a-firewall-with-ufw-on-anhttps://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
14/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
ubuntu-and-debian-cloud-server
alex August 29, 2013
this instruction is missing the point that you need to whitelist your IP addresses in order not
to lock yourself out. So how does one do this?
asterixzzz October 11, 2013
If I have fail2ban installed is there any point to move ssh on another port than 22 or use SSH
key pair instead of password. I mean, how big is the probability that anyone would pass the
fail2ban protection anyway?
Kamal Nasser October 12, 2013
@Asterix: Anyone could just scan your droplet for open ports so you should install fail2ban
and change the SSH port.
nimopress October 29, 2013
I'd like to set fail2ban up. I'm concerned that I will be connecting from behind a proxy (it's
my ISP). I now connect via SSH Keys.
My questions is if I leave as-is 'ignoreip = 127.0.0.1/8' and not add more IP addresses, will I
risk being locked out?
My proxy IP could be xxx.xxx.xxx.24 now. and when i try ogging in again later, it could
change to xxx.xxx.xxx.250. That's quite a big range?
daniel.subs October 29, 2013
@JC - no. jail.local is meant to contain all local changes (ONLY) and is read by fail2ban
@Kamal note the bit you quoted " a .local file doesn't have to include everything in the
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
15/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
corresponding .conf file" and abide by this in the instructions. It will save confusion like
what you created for @germanab7
Step 2: you shouldn't copy jail.conf to jail.local - this means any updates to jail.conf are no
enforced. Create a new jail.local with only the bits required.
Step 3: just override bits you need like:
[DEFAULT]
destemail = ....
You probably never want to change the default to UDP. Set per jail if required
action = iptables[name=SSH, port=ssh, protocol=tcp]
Step 4: you only need to overwrite changes so here it could just be:
[ssh]
enabled = true
Kamal Nasser October 31, 2013
@Nicholas:
My questions is if I leave as-is 'ignoreip = 127.0.0.1/8' and not add more IP
addresses, will I risk being locked out?
Yes. But as long as you remember to not enter an incorrect password/use an invalid ssh key,
you won't be locked out.
nimopress November 3, 2013
@Kamal, yup makes sense to me. ;)
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
16/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
f1dc16eda41571f12bf5d14705a5aef0 December 5, 2013
Hi, I am not too sure what my port should be. It is currently at default 'port= ssh'.
My port number for my droplet is not 22, I have changed it to a different number. I am also
using SSH key. So should i still leave it as 'port=ssh'? Or should i change it to something
else? If so, what should it be? I'm really confused.
many thanks! :)
Kamal Nasser December 5, 2013
@hopefloatt: I believe you can simply replace 'ssh' with e.g. 1234 where 1234 is your SSH
port and it would work fine.
alexc December 6, 2013
Kamal, I just want to make sure that I understand this correctly. If I install fail2ban and I make
no modifications at all to the config files, I can still SSH into my server from any arbitrary IP
address, as long as I can log in successfully within three attempts? Is that right?
gagnon.pierluc December 6, 2013
Yes alexc, that's right!
acastella December 11, 2013
Hi!
The correct instruction is "sudo service fail2ban status"
Cheers!
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
17/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
anshar_amin December 31, 2013
My Fail2ban status:
*status of authentication failure monitor
* /var/run/fail2ban.sock not readable, status of fail2ban is unknown.
Is it not working?
Kamal Nasser January 1, 2014
@anshar_amin: I believe that means fail2ban is not running, try starting it:
sudo service fail2ban start
kevin.thornton12 January 5, 2014
Hi there does anyone know why my fail2ban keeps doing a log rotation once a week
dropping all my banned ips when i have the default bann time set to 1 year?
Kamal Nasser January 6, 2014
@scene4life21: Did you reboot your droplet? fail2ban clears the rules once the server is
rebooted.
kevin.thornton12 January 6, 2014
@Kamal Nasser
No.
Thats the weird thing about this is i dont reboot or update and upgrade at all cause there is
not much need to. I have the default ban time in the fail2ban.local file set to 1 year, yet once
a week in rotates the logs.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
18/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
Kamal Nasser January 7, 2014
@scene4life21: Hmm. Can you paste fail2ban's logrotate config?
Kamal Nasser January 7, 2014
(Use http://pastebin.com/).
jb5531 January 8, 2014
Just reading through these comments and I'm a bit confused due to one from @weeleetan
about using Nginx. I'm new to setting up a VPS and currently have the LAMP stack installed
-- however, I will probably try using WordPress with Nginx in the near future, so I'd be
installing Nginx on my current setup, so the question:
Fail2Ban is independent of Apache, Nginx, etc, right; as in it works for all/any of them? If
not, then is there a similar program that one should use to protect Nginx? Sorry for the
newbie question but I want to make sure I get this right, thanks!
jb5531 January 8, 2014
Also, just checking that running `sudo service fail2ban restart` is suppose to product the
message -- Restarting authentication failure monitor fail2ban as it's the monitoring program?
This also happens when I try to run `service fail2ban status` and I want to make sure it's
working.
Kamal Nasser January 9, 2014
@Jason: Check out http://codepoets.co.uk/2013/fail2ban-filter-for-wordpress/. (Use
/etc/fail2ban/local.conf instead of jail.conf). Make sure you set logpath to nginx's access
log.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
19/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
jb5531 January 22, 2014
OK - I guess after reading more my question is a bit confusing. I'm looking to use fail2ban to
protect my SSH (just like this article is going through) except that instead of using Apache,
I'm using nginx... so what are the differences, just the logpath? Is the nginx default logpath I
should be using /var/log/syslog?
I'm new at this so I have no idea what the "correct" way of doing this is.
danko.nakic February 17, 2014
The situation has changed a bit for us with dynamic IP's: http://dyn.com/dns/ is no longer
free. Is there a reliable free alternative available?
me March 15, 2014
IMPORTANT: As sds357 mentioned before, on Ubuntu LTS 12.04, leaving the "backend =
auto" doesn't work and fail2ban won't protect you from anything. You have to change it to
"backend = polling".
boy April 12, 2014
since I am in dynamic IP and do not want to pay for dyns, how do i uninstall this FAIL2BAN?
what is the Command Line?
Kamal Nasser April 12, 2014
@boy: You can uninstall fail2ban by running:
sudo apt-get remove fail2ban
.
vbamba May 30, 2014
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
20/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
Hi Kamal,
Quikc question. I am running SearchBlox an intranet search software using Java and it uses
port 8080. Am also running wordpress. Tried CSF but got website locked. Also I am getting
Ddos attacks. Will Fail2ban help me here. Also would I need to specify somewhere to allow
ports 80,8080,3306(Mysql), 3389(terminal services), 20,21(FTP) etc?
Thanks
Andrew SB May 30, 2014
@vbamba: Fail2ban protects against brute force attacks trying to access your server via ssh,
so it isn't much help for a DDOS attack. As for firewalling, iptables can do what you want. If
you're on Ubuntu or Debian, you can use ufw as a frontend for iptables. It really simplifies
things. Checkout:
https://www.digitalocean.com/community/articles/how-to-setup-a-firewall-with-ufw-on-anubuntu-and-debian-cloud-server
freaky_irish June 9, 2014
Can I access SSH if I leave ignoreip as is? (suppose I will NEVER supply wrong password)
Andrew SB June 10, 2014
@freaky_irish: Yes. As long as you don't hit the needed number of failed access attempts,
you don't need to add your IP to ignoreip
florian June 17, 2014
I'm having an issue where the field in the action.d files for Apache-related bans resolves to
my VPS's own IP, not the attacker's. Any idea why that could be the case? It works fine for
SSH (i.e. placeholder get's replaced by the attacker's IP...). Thanks!
Andrew SB June 18, 2014
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
21/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
@florian: You add you IP to the list of ignore IPs in /etc/fail2ban/jail.conf Which
Apache filters did you enable?
Log In to comment
Leave a comment...
SUBMIT COMME NT
This work is licensed under a Creative
Commons Attribution-NonCommercialShareAlike 4.0 International License.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
22/23
8/2/2014
How To Protect SSH with fail2ban on Ubuntu 12.04 | DigitalOcean
Copyright © 2014
DigitalOcean ™ Inc.
Proudly Made in NY
Terms, Privacy, & Copyright
Security
C OMMUNITY
Dashboard
Overview
Tutorials
Questions
Projects
Tutorial Suggestions
Get Paid to Write
2 , 2 2 4 , 9 5 5 D ROPL E T S L AU N CH E D
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
23/23