Debian 9: Server Security with Fail2Ban
Linux server security is always a good topic of discussion that everyone seems to have a different opinion about. I have recently been building a number of new production servers which are all running Debian 9, and here are some of the steps that I have taken to make sure they are secure.
- These instructions are specifically for Debian 9, but they should work the same for Ubuntu or other Debian-derivatives.
The largest piece of this puzzle is an application named Fail2Ban which essentially monitors configured services for repeated exploit attempts (brute-force login, etc.) in order to block that source address. This took is both powerful and scary. If you mis-configure this app, you WILL lose access to your server.
There are a few other steps that I take to set servers up along with Fail2Ban, so strap-in and let’s get started…
Prerequisites:
- A fresh Debian 9 (Stretch) x64 server instance. (I use DigitalOcean)
- Logged in as
root
. - All unused ports have been blocked with proper IPTables rules.
Update, Update, UPDATE!
This is probably the easiest one to do that a lot of people fail to do, but make sure you do this right out of the gate:
sudo apt update sudo apt dist-upgrade -y
- The above command can also be used regularly to maintain the updates regularly, though you may want to remove the
-y
flags so you can approve each package update as it comes.
Once those are finished, reboot! (sudo reboot
)
Change the SSH Port
SSH exploits are probably one of the most basic attack points for a server, largely because the port for the service is usually standardized on port 22
. A very simple way to slow these attacks down is to simply change the port.
When selecting a port, try to use something non-standard, and something that is not used for another service. You can check to see if any other ports are used by checking this site: https://www.speedguide.net/port.php?port=37623 (change the port number at the end of the URL to whichever one you want to check).
sudo sed -i "s/#Port 22/Port 37623/g" /etc/ssh/sshd_config sudo systemctl restart sshd.service
- Note: this change won’t actually take effect until you disconnect/reconnect.
Now you need to update your IPTables config to adapt to the new port:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j DROP sudo iptables -A INPUT -p tcp --dport 37623 -j ACCEPT
Last part of this step is to configure IPTables rule persistence:
iptables-save > /etc/iptables.up.rules touch /etc/network/if-pre-up.d/iptables chmod +x /etc/network/if-pre-up.d/iptables echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables
This will create a script at /etc/network/if-pre-up.d/iptables
to re-add those rules to IPTables after reboots. Be sure to update this script in the event you tweak any other rules.
Log out and back into the server using the new port number. For tips on making a shortcut with an SSH Config file (Click Here)
Install and Configure Fail2Ban to protect SSH
Use the standard method to install the stable version of fail2ban
:
apt install fail2ban -y
Once installed, check the status to confirmed it is started:
service fail2ban status
Since fail2ban’s application files and default config’s may change when updated, you should make all of your edits to the local config versions:
emacs /etc/fail2ban/jail.d/jail-debian.local
I usually toss the majority of the contents of that file and replace it with the following, however the following code assumes that this server is a webserver running apache and some other functional apps. Feel free to remove any sections that doesn’t apply to your environment:
[DEFAULT] # add multiple ip's separated by spaces ignoreip = 127.0.0.1 bantime = 3600 destemail = chris@intellagentbenefits.com banaction = iptables-multiport action = %(action_mwl)s # JAILS [sshd] port = 37623 enabled = true maxretry = 3
Be sure to change your port number from above in the [sshd]
section. The rest of this can be ran with these defaults.
To complete the setup, type the following:
service fail2ban restart
As long as there are no errors, then you are all set. Any user who repeated bashes to the machine with wrong SSH passwords will automatically get banned for 3600 seconds.
To expand on this function more, I will be adding more articles including how to protect other services with fail2ban
like Apache or PostFix along with how to perma-ban repeated brute-force users.