“Verbannen” is a dutch verb and means “to ban”. As in Napoleon being send to St. Helena. To ban in the context of gaming is being blocked out. With the rise of Facebook and the like, you can even be locked out of groups and communities. But to ban also has a meaning in context of IT security. For example, your account might get blocked after too many failed password attempts. This requires processes to unlock and restore access. One way to avoid this, is to automatically restore access after a certain amount of time. Napoleon was banned until his dead, 6 years later…

It is possible to implement failed attempt count, ban, restore access, logging, etc. without changing the underlying software. When on Unix/Linux, the tool of choice for this is called fail2ban. I first came across fail2ban when evaluating Seafile. But also Owncloud and Nextcloud promote it. IMHO fail2ban should be active on each and every SSH login. Unfortunately fail2ban is missing in many SSH tutorials.

Fail2ban is simple to set up, has loads of presets, and is well documented. Enabling fail2ban for SSH is as easy as installing the package and enabling SSH in the config file. With a properly configured package, SSH log file and iptables are preset correctly.

Fail2ban runs as a service, monitoring the logs of the access services that you want to protect. It has filter/matching rules, to check for failed login info in the logs. When it triggers a ban, it blocks, using iptables, the source IP and service port number combination for a preset time. There’s no warning to the user, the network communication simply stops. So be careful when testing, or wait for the ban to expire.

An attacker could switch IP address and continue, but fail2ban will simply create a new iptables rule. To me, a system that stops responding completely after trying to guess a password is somewhat scary. In case of SSH, there is no new login prompt, nothing. After all, a system telling you that: you have 3 attempts, you will be blocked for 10 minutes, your IP will be logged, will help any attacker to adjust his scripts accordingly. (on the other hand, a system that drops all communication completely will tell any attacker that fail2ban is installed…)

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 35 = 43