Raspberry Pi fail2ban installation notes

by Devin Yang
(This article was automatically translated.)

Published - 1 year ago ( Updated - 1 year ago )

Basically, my mainframe has remote logs set up, and all of them are sent to the log center on the Synology NAS.
There is a Raspberry Pi that acts as a router, there will be a bunch of sshd verification attempts to log in,
Disconnected from invalid user slurm 128.199.177.36 port 60810 [preauth]
Basically, I only allow public key authentication,
So don’t even think about brute force cracking with account passwords, but a bunch of It's really annoying to read the Log of failed verification.

So I googled and saw this thing fail2ban, it looks very good, let's set it up.

The following are my installation steps, just write them down:

The first step:  Install

apt-get install fail2ban

We You can switch the directory to /etc/fail2ban, and then take a look at the jail.conf file.

root@ptest:/etc/fail2ban# head jail.conf
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#

As mentioned above, in most cases, we should not change this file, but provide a custom jail.local

Step two: In the /etc/fail2ban directory

 cd /etc/fail2ban
 cp jail.conf jail.local

Step 3: Modify jail.local

Find the place of sshd, other places in this file also have #[sshd], don’t Uncomment, that's just his explanation.
Add two lines, "Start" and "Action". 

enabled = true
action = %(action_)s

In the above example, action_ uses the simplest setting

action_ : The simplest action to take: ban only
action_mw: ban & send an e-mail with whois report to the destemail.
action_mwl: ban & send an e-mail with whois report and relevant log lines


Complete as follows

 [sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
action = %(action_)s
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Step 4: Start

(systemctl is really easy to use, I thought the service command was good before, so why change this , I am used to it now😝)

#Automatically start when booting
systemctl enable fail2ban
#start up
systemctl start fail2ban

Step 5: Check the startup status, and actvie means it is running

Fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2022-12-11 10:38:59 CST; 1h 12min ago
     Docs: man: fail2ban(1)
 Main PID: 26761 (fail2ban-server)
    Tasks: 3 (limit: 4915)
   CGroup: /system.slice/fail2ban.service
           └─26761 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

If it fails to start, you can check if there is any error
    - -dp, --dump-pretty     dump the configuration using more human readable representation

fail2ban-client --dp


Step 6: Check the status of <JAIL>, sshd is the name of <JAIL>

fail2ban-client status sshd< /code>

The result screen is as follows: 

(The action = in the third step is very important, it must be set, otherwise the Baned IP list you see here is just for eyes The illusion of heavy karma)

root@ptest:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 12
| |- Total failed: 280
| `- File list: /var/log/auth.log
`- Actions
   |- Currently banned: 2
   |- Total banned: 6
   `- Banned IP list: 88.218.17.117 137.184.65.253

fail2ban-client has quite a lot of functions, which are too complicated to be loaded, please type the command yourself to view it

fail2ban-client

Example: Manually watch directly

root@ptest:~# fail2ban-client | grep banip
    set <JAIL> banip <IP> manually Ban <IP> for <JAIL>
    set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL>
root@ptest:~#

Confirm whether it is useful, you can find a host to test to see if you can log in, if you manually ban the IP, you will not be able to log in. 

fail2ban-client set sshd banip 34.81.227.39
fail2ban-client set sshd unbanip 34.81.227.39

After the test group is blocked, it is really impossible to connect. Below is a schematic diagram

~# ssh ptest
ssh: connect to host host port 22: Cannot assign requested address

Checked the log center on my Synology, it really is much less
 

Tags: security config

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
docker, goaccess, config

phpenv actual combat GoAccess is real website analysis (docker version)

Before I start, let me say that GoAccess can also generate static data as long as you have a log, because I think the real-time feeling is more dazzling, so this article will focus on the part of GoAccess real-time display. Although Google Analytics (GA) is very useful, it is also very good to try another GA. For example, you want to know which browsers website users use to visit the website.

城堡
config

3C Tech Center moved to GCP

I can't stand Bulehost's slow speed, and I have pulled DNS back to be directly managed by networksolutions. Adjust the DNS setting TTL to two hours, maybe it will be converted to other places.. Here are a few things that I personally don't like about Bulehost. 1. The host should be in the United States, and the speed is too slow. Two, no http/2. 3. The time zone of mysql cannot be adjusted. So decided to move to Google Cloud Platform...

城堡
linux,security

ssh-agent and ssh-add authentication agent

Programs in the ssh core suite such as scp, ssh, ssh-add, ssh-agent, sshd, and ssh-keygen Let's talk about ssh-agent and ssh-add usage scenarios. Before we start, let's take a brief introduction to the purpose of these instructions: