If you are experiencing a brute-force ssh attack (people or robots trying different combinations of username and password to log into remote servers), you probably want to implement a fail2ban strategy to prevent them to keep trying.

Before writing about fail2ban, if you are using AWS, I would highly suggest checking your Network ACLs. If possible, whitelist the IPs that can use the ssh port in your server. Sadly we have dynamic IP's here in Argentina and it's going to be really tedious to go and whitelist my IP every time it changes, especially when you could need to access multiple servers a day.

Fail2ban

I won't go too deep on all that you can do with this software, but if you are interested in read more about it in their github wiki

We will use it for blocking IPs to keep trying to access via ssh after N number of attempts.

First you need to install the package, my server uses ubuntu so we run:

sudo apt-get install fail2ban

Now to configure you need to create a jail.local file in the folder at /etc/fail2ban/. You can read the default configuration from /etc/fail2ban/jail.conf. Let's create that file:

sudo touch /etc/fail2ban/jail.local

Since we are only going to use the ssh module, we just need these lines in the file:

[sshd]
maxretry = 5
bantime=10800

Feel free to change those values as it better fits your usage.

Now we just need to restart the fail2ban service and we are ready to go:

sudo systemctl restart fail2ban.service

Now your server will reject connections via ssh if they fail to access more than 5 times in a row. Great!

If you want to check the status of fail2ban, check how many fail attempts happened and how many IPs are banned at some point in time you can run fail2ban-client status sshd and it will display something like this:

Status for the jail: sshd\
|- Filter\
|  |- Currently failed: 1\
|  |- Total failed: 75\
|  `- File list:    /var/log/auth.log\
`- Actions\
|- Currently banned:    2\
|- Total banned:    6\
`- Banned IP list:  161.35.80.11 186.159.10.210

Troubleshoot

fail2ban adds rules in iptables program from your linux distro. I had issues while trying to execute iptables --list, to check how those rules where applied after configuring fail2ban in one of my staging servers:

modprobe: ERROR: could not insert 'ip_tables': Cannot allocate memoryiptables v1.4.21: can't initialize iptables table `filter':
Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

In a previous post I commented about linux images taking too much space in your inodes disk space (df -i returning 99%+ in /dev/xvda1). The solution, if applied incorrectly like I did, may corrupt the execution of iptables commands. In short, try to don't delete the image that you are currently using. To check which version to keep check the output of uname -r in your server terminal.

Thankfully, we can easily re-install that linux image by using that output too:
sudo apt-get install linux-image-$(uname -r)

That should reinstall the iptables program. I read that some people needed to run sudo apt-get full-upgrade and then reinstall the linux image.