Years ago when I got my first server I remember installing some scripts to check its integrity and warn me about attacks. I was amazed and quite frightened by the number of SSH attempts. I soon learnt, however, that this was quite normal. It maybe worrying, but it’s normal.
Put a server on a public IP and people will try to crack it.
There’s no avoiding that. Well, there is, but it’s a bit impractical to disconnect a web server from the internet 🙂
So what can you do?
One of the solutions is to use iptables to block the IPs of failed login attempts. If someone (or something) makes more than X connection attempts from a particular IP then you block it.
Of course that’s easy if you can program. I can’t!
Luckily I don’t have to, as there are solutions like the rather excellent Fail2Ban available:
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
So not only can you block SSH attacks, you can also use it to defend yourself from other bruteforce attempts.
There are debian / Ubuntu versions available, so all you need to do (as root) is run:
apt-get install fail2ban
This will install the daemon and its basic config, which is to silently block SSH attacks.
You can easily customise the configuration by editing /etc/fail2ban.conf
The developers have left nice clear comments in the file, so even I was able to make the necessary changes, including whitelisting my own IPs ie. you don’t want to lock yourself out just because you’ve forgotten your login details.
There’s also a nice writeup here which goes into some depth about the various options available.
Leave a Reply