If you’ll open SSH on a server to the open internet, you’ll notice a lot of bots trying to login. You certainly should setup certificate based login, but banning offending IPs is also an important security measure.
I’ve installed fail2ban on my Raspbian installations and want to explain the installation and configuration. Its quite easy and the benefits are huge!
sudo apt-get install fail2ban
Create a copy of the original configuration file so that it won’t be overwritten by any updates:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Search for a block for [default]. You should set:
bantime = 10m findtime = 10m maxretry = 5
These are the general settings. The settings for sshd should be a little bit stricter. Search a block for [sshd]. You should set:
enabled = true maxretry = 3
You can enable and start fail2ban now using systemctl:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
Verify its up and running:
sudo systemctl status fail2ban.service sudo fail2ban-client status sudo fail2ban-client status sshd
If you end up being locked out, you can unlog an offending IP address using this command:
sudo fail2ban-client set sshd unbanip <offenders IP >
Banned connections will be dropped immediately by the firewall and should be visible with a “connection refused”.