So I've had this server for a little over a month now, and early on I set SSH up with key login to ensure no-one else can log in. After chatting with a friend about all the brute force attempts one of his servers is on the receiving end of I decided to take a look at the failed login attempts on mine.
cat /var/log/auth.log | grep 'sshd.*Invalid'
I was somewhat surprised to see the number of attempts on even a fairly new server. It doesn't take them long to find servers apparently!
Nov 6 08:03:22 defestri sshd: Invalid user apolline from 22.214.171.124 Nov 6 08:37:11 defestri sshd: Invalid user appolenia from 126.96.36.199 Nov 6 09:11:00 defestri sshd: Invalid user april from 188.8.131.52 Nov 6 09:45:21 defestri sshd: Invalid user ar from 184.108.40.206 Nov 6 10:20:17 defestri sshd: Invalid user arabella from 220.127.116.11 Nov 6 10:55:07 defestri sshd: Invalid user araceli from 18.104.22.168 Nov 6 11:29:26 defestri sshd: Invalid user arao from 22.214.171.124 Nov 6 12:03:37 defestri sshd: Invalid user arcadia from 126.96.36.199 Nov 6 12:38:09 defestri sshd: Invalid user ardelle from 188.8.131.52 Nov 6 13:12:18 defestri sshd: Invalid user ardis from 184.108.40.206 Nov 6 13:46:16 defestri sshd: Invalid user aretha from 220.127.116.11 Nov 6 14:19:53 defestri sshd: Invalid user aretina from 18.104.22.168 Nov 6 14:53:42 defestri sshd: Invalid user ari from 22.214.171.124 Nov 6 15:27:43 defestri sshd: Invalid user aria from 126.96.36.199 Nov 6 16:01:42 defestri sshd: Invalid user ariadne from 188.8.131.52 Nov 6 16:35:39 defestri sshd: Invalid user ariana from 184.108.40.206 Nov 6 22:03:31 defestri sshd: Invalid user oracle from 220.127.116.11 Nov 6 22:03:33 defestri sshd: Invalid user oracle from 18.104.22.168 Nov 6 22:03:34 defestri sshd: Invalid user oracle from 22.214.171.124
I have of course set up fail2ban which on the default settings, bans them after six failed attempts for one hour. But it seems this lot are pretty persistent. First up, let's harden fail2ban a bit, reduce the number of failed attempts to three and increase the ban time to one day.
sudo vim /etc/fail2ban/jail.local
Scroll down to the section with bantime and maxretry and set as:
# ban time 24 hours bantime = 86400 maxretry = 3
Scroll down to the ssh section as well and set it to three maximum retries:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxtry = 3
Then finally restart fail2ban.
sudo service fail2ban restart
Now that that's taken care of, let's take it one further step. We can see there's one IP (126.96.36.199, an Indian IP) that seems to have taken a likening to trying and brute forcing it's way in. Let's just ban him at the kernal firewall instead.
Let's first open up the existing test rules for iptables (if you have any):
sudo vim /etc/iptables.test.rules
And let's make a new section for banned IPs:
## Banned IPs -A INPUT -s 188.8.131.52 -j DROP -A OUTPUT -d 184.108.40.206 -j DROP
Then double check how it looks:
sudo iptables -L
If that looks okay we'll save it to the master iptables file:
sudo sh -c "iptables-save > /etc/iptables.up.rules"
That ought to keep him out. Funnily enough my friend had log in attempts from the same IP. Whoever it is they certainly get around.
Obviously moving SSH to a different port would stop some of these casual attempts at finding open SSH services but let's leave SSH where it is for the time being to ensure these changes workout as intended.