Its been a while that i released a new blog. My focus the last couple of years has been managed hosting and programming specialized web projects/plugins with a WordPress base.
Managed hosting is a constant fight with attackers/hackers. The question is not if you can be hacked, but when. Our job is to make it as difficult as possible and that it takes so much time that your not the focus any more. A firewall alone is not enough and we are using some tools like fail2ban to tighten our security. We use ISP Config as our ISP software to deliver our clients content and e-mail and even tough their install guide configures some standard jails i felt that it was not enough. As i see it the standard jails are all based on short term blocks and repeating offenders can do their usual stuff eating up your system resources.
Default the findtime/bantime is 600 seconds. I’m more focused with the long term/repeating offenders.
SSH
I’ve left the standard SSH jail for what it is but i noticed the total failed just kept growing and growing. So i made a long-term jail for the repeaters. The “You have been banned multiple times now so your banned longer-jail”. Open your jail.local:
# vi /etc/fail2ban/jail.local
and add the code below at the bottom of your file.
[sshlongterm] port = ssh logpath = %(sshd_log)s banaction = iptables-multiport maxretry = 15 findtime = 259200 bantime = 608400 enabled = true filter = sshd
Basically what it does is this: if you’re in my logs with failed ssh authentications for 15 times in the last 3 days your banned for a week. Wait a few minutes and i bet that the list will grow fast.
Dont forget to reload your fail2ban service
# service fail2ban reload
Here’s mine:
# fail2ban-client status sshlongterm Status for the jail: sshlongterm |- Filter | |- Currently failed: 160 | |- Total failed: 628 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 113 |- Total banned: 131 `- Banned IP list: (LIST OF IPS BANNED)
Stay tuned! more to come…
