Blocking Brute Force & DDOS SSH Attacks

I have covered articles on securing your ssh server via using differnet ports and restricting which users and groups can log in, as well as using the pam module to allow or block depending on hostname or domain names. However DDOS and brute force attacks can happen on even a trusted host/ip/network. Luckily there is a tool called fail2ban that helps if your ssh server gets hit hard by a host it can block that host automatically. Below is a how to guide on how to enable this protection on your server.

Install Fail2ban

Copy Over The Config File

Configure Fail2Ban

You can set IP address for fail2ban to ignore, IP addresses can be separated by space.

Bantime is the duration of time that you want fail2ban to block suspicious attempt, the value is in seconds. Maxretry is the number of failed attempts before fail2ban block the IP-address, in this case 3600 means 1-hour ban

Enabling SSH Protection

Locate the section "[ssh]" and change the "enabled = false" to "enabled = true"

Enabling SSH-Dos Protection

Locate the section "[ssh-ddos]" and change the "enabled = false" to "enabled = true"

Start the Fail2Ban Service

Enable Email Notifications

You can also enable email notifications with fail2ban so that in case anything goes on you will receive an email with details (for those who are extra extra security conscious)

Install Sendmail, follow the prompts to configure it.

Open the configuration file for fail to ban

In the config file change the section "" destemail = [email protected] "" replacing [email protected] with your email address

Restart the service for the notifications to take effect