We’ve all been there and have had pesky bots filling up the SSH logs on our servers with irrelevant login attempts that often makes it hard to actually do meaningful things with the logs.
Often this issue can be mitigated a bit by changing the port for the SSH daemon, which will definitely decrease the attack vector by a fair bit as most common bots only do target the default ports.
All of the servers, which I am operating, have their username changed to something a bit more secure as this further reduces the attack vector. This made me think and recently I had the idea to implement Fail2Ban banning based on a blacklist of the root username.
To implement this sort of rules, I took the following steps to configure it on a server running Fedora 33:
First thing that you need to do is to install the Fail2Ban service on your system by running below commands:
yum install fail2ban -y systemctl enable fail2ban systemctl start fail2ban
Create a file named “ssh-ban-root.conf” in your “/etc/fail2ban/filter.d/” folder with the following content:
[INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\S*\s*user=(root|admin)\s.*$ ignoreregex = [Init] maxlines = 10 journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
Create a basic jail configuration within the /etc/fail2ban-folder that uses the newly created filter:
[DEFAULT] bantime = 3600 findtime = 1800 maxretry = 5 backend = systemd ignoreip = 127.0.0.0/8 [ssh-ban-root] enabled = true filter = ssh-ban-root maxretry = 0 bantime = 15770000
Lastly, restart the fail2ban daemon to apply the changes we made to the configuration:
systemctl restart fail2ban