Source: http://www.debian-administration.org/articles/152
Generate a key on the client. Hit enter for all 3 questions to use the default, and therefore no password.
Import the key into the remote SSH server. Execute this on the client:
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-ssh-server
Sources: [1][], [2][]
[1]: http://www.unixmen.com/how-to-prevent-ssh-brute-force-attacks-with-fail2ban-on-debian-7/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-prevent-ssh-brute-force-attacks-with-fail2ban-on-debian-7
[2]: http://blogs.buanzo.com.ar/2009/01/fail2ban-rules-for-lighttpd-fastcgi-alerts.html
Login as root user and enter the following command to install Fail2Ban.
All configuration files are found in the /etc/fail2ban
directory. The main configuration file is /etc/fail2ban/jail.conf
. It’s a good idea to make a backup of the main config file to avoid merges during upgrades. Edit local copy of the /etc/fail2ban/jail.conf
file as shown below.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open up /etc/fail2ban/jail.local
file in any editor. You will find a section called [Default]
. This section contains the basic set of rules that Fail2ban will follow. Set the values as per your requirement.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.100.1/24
bantime = 900
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
By default, Fail2Ban contains a set of pre-defined filters for various services. So you don’t need to enter any manual entries in the configuration files. All you need to do is just change the values of enabled to true or false, the respective services are automatically watched by Fail2Ban. Here is the SSH section in the jail.local
file:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
And the SSH-DDoS section in the jail.local
file:
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
And the Lighttpd-FastCGI section in the jail.local
file:
[lighttpd-fastcgi]
enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log
maxretry = 2
Once you have changed the configuration, restart Fail2Ban service to save the changes:
/etc/init.d/fail2ban restart
You can verify the rules that added by Fail2Ban in iptables using the following command:
root@server:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere