Using fail2ban to secure ssh access

I found some notes from a collegue of my former company. Though I havent tested them by myself I have no reason to doubt that the steps described are working at all. The documentation was written in 2019.

The original request was:

  • block for 60 minutes after 3 failed ssh-logins
  • optional permablock after 3 temporary blocks within 24 hours

Copy&Paste follows

univention-install fail2ban

/etc/fail2ban/jail.local (please adjust the ignoreip line)

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sed -i 's/ignoreip = 127.0.0.1\/8/ignoreip = 127.0.0.1\/8 192.168.0.0\/24 78.47.199.152/' /etc/fail2ban/jail.local
sed -i 's/bantime  = 600/bantime  = 86400/' /etc/fail2ban/jail.local
sed -i 's/findtime  = 3600/findtime  = 3600/' /etc/fail2ban/jail.local
sed -i 's/maxretry = 5/maxretry = 3/' /etc/fail2ban/jail.local
sed -i 's/backend = auto/backend = systemd/' /etc/fail2ban/jail.local
sed -i '/^\[sshd\]/,/^:space:*$/ s/^:space:*$/enabled  = true/' /etc/fail2ban/jail.local

cat <<EOF >> /etc/fail2ban/jail.local

[repeatoffender]
enabled  = true
backend  = auto
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
logpath  = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime  = -1
EOF

/etc/logrotate.d/fail2ban

sed -i 's/^\([^#]\)/#\1/g' /etc/logrotate.d/fail2ban

cat <<EOF >> /etc/logrotate.d/fail2ban
/var/log/fail2ban.log {
    missingok
    notifempty
    monthly
    rotate 13
    create 0600 root root
    postrotate
      /usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log 2> /dev/null || true
    endscript
}
EOF

/etc/fail2ban/filter.d/repeatoffender.conf

cat <<EOF >> /etc/fail2ban/filter.d/repeatoffender.conf
[Definition]
_jailname = repeatoffender
failregex = fail2ban.actions\s+\[(?:.*)\]:\s+NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
ignoreregex = fail2ban.filter\s+\[(?:.*)\]:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>
EOF

/etc/fail2ban/action.d/repeatoffender.conf

cat <<\EOF >> /etc/fail2ban/action.d/repeatoffender.conf
[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-ip-blocklist
              iptables -A fail2ban-ip-blocklist -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-ip-blocklist
              cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D <chain> -p <protocol> -j fail2ban-ip-blocklist
             iptables -F fail2ban-ip-blocklist
             iptables -X fail2ban-ip-blocklist

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = VERIFY="<ip>*" 
            ADD="<ip>        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned" 
            FILE=/etc/fail2ban/ip.blocklist.<name>
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-<name>  1 -s <ip> -j DROP
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE" 

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = # Do nothing because their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
#
# sed -i '/^<ip>/d' /etc/fail2ban/ip.blocklist.repeatoffender
#

[Init]

# Default name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
EOF

Regarding IPv6 support refer to https://github.com/fail2ban/fail2ban/blob/master/ChangeLog (fail2ban 0.10 is available in Debian Buster and therefor with UCS 5)

hth and have fun