When I initially set up my server for this blog and my small photography-website I didn’t really think about securing it against attacks. But one day I looked into the “secure”-logfile of my server and was greeted with this:
Apr 24 04:38:23 vps9533 sshd[21882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.72.120.117 user=root
Apr 24 04:38:25 vps9533 sshd[21882]: Failed password for root from 122.72.120.117 port 29063 ssh2
Apr 24 04:38:25 vps9533 sshd[21883]: Received disconnect from 122.72.120.117: 11: Bye Bye
Apr 24 04:38:28 vps9533 sshd[21884]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.72.120.117 user=root
Apr 24 04:38:30 vps9533 sshd[21884]: Failed password for root from 122.72.120.117 port 29300 ssh2
Apr 24 04:38:30 vps9533 sshd[21885]: Received disconnect from 122.72.120.117: 11: Bye Bye
Apr 24 04:38:33 vps9533 sshd[21886]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.72.120.117 user=root
Apr 24 04:38:35 vps9533 sshd[21886]: Failed password for root from 122.72.120.117 port 29552 ssh2
Apr 24 04:38:35 vps9533 sshd[21887]: Received disconnect from 122.72.120.117: 11: Bye Bye
Apr 24 04:38:38 vps9533 sshd[21888]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.72.120.117 user=root
Apr 24 04:38:40 vps9533 sshd[21888]: Failed password for root from 122.72.120.117 port 29814 ssh2
Apr 24 04:38:41 vps9533 sshd[21889]: Received disconnect from 122.72.120.117: 11: Bye Bye
Apr 24 04:38:43 vps9533 sshd[21890]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.72.120.117 user=root
Apr 24 04:38:45 vps9533 sshd[21890]: Failed password for root from 122.72.120.117 port 30113 ssh2
Apr 24 04:38:46 vps9533 sshd[21891]: Received disconnect from 122.72.120.117: 11: Bye Bye
Apr 24 04:38:48 vps9533 sshd[21892]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.72.120.117 user=root
Apparently someone tried to log into my server via SSH. As I used a fairly strong password for my root-account I didn’t think too much about it. Nonetheless I wanted to do something against these kinds of attacks.
Fail2ban
The first thing that came to my mind was to install fail2ban.
Fail2ban scans log files (e.g. /var/log/apache/error_log) and
bans IPs that show the malicious signs — too many password failures,
seeking for exploits, etc.
Installation
A simple “yum install fail2ban” on CentOS or RedHat is enough to install it. The source code and packages for all other Linux-distributions are also available.
Configuration
There are two main configuration files.
fail2ban.conf
In the fail2ban.conf you can define the loglevel and logtarget as well as the socket used.Set loglevel to 4 to active DEBUG-mode if you have any problems during setup.
jail.conf
Several important configuration options here. Set “ignoreip” to 127.0.0.1/8 so localhost doesn’t get banned. “Bantime” is the time in seconds a host is banned. I used 60000 seconds here. “Maxretry” ist the number of failures before a host gets banned. Set this to something more than 3 if you often mistype your password or else you get locked out.
Further down below there are the templates you should use. I use “ssh-iptables” in my setup. Set the “enabled”-option to true. If you need to enable other templates, e.g. for apache or postfix, enable them.
Since I use nginx, I also added a template for nginx. There’s a great tutorial on how to configure fail2ban with nginx here.
Finally start fail2ban. If it doesn’t start there’s something wrong with your configration.
SSH-Configuration
Since I activated fail2ban my inbox got spammed with mails from fail2banm saying there was a break-in attempt. Also the server was at 100% load. The cause of this was fail2ban. Because there were so many login-attempts fail2ban had to read very much information from the secure-log and thus effectively crashed my server. So I figured I’d have to secure my ssh-daemon, too.
sshd_config
There are several configuration options to secure your server:
1. Port
Set your port to something other than 22. This blocks almost any login-attempts since most automated attacks only aim at port 22.
2. Permit root-login
Set this to “no” so you cannot login with your root account via ssh anymore. You should always login with a non priviliged account to your machine.
3. AllowUsers
Here you should only write the name of an unpriviliged (NOT root) account. So you can only login with this account. Be sure to have a strong password for this user.
4. Advanced: PasswordAuthentication
Set this to “no” to diable login with a password. Then you can only login with a ssh-key.
There are countless tutorials on the internet on how to setup password-less ssh-login.
Conclusion
Enabling fail2ban and configuring my sshd limited the attacks to almost none.
Be sure to recheck everything twice or else you could lock out yourself from your system!