Fail2Ban | Protect Ubuntu 20.04 server from Brute Force Attacks

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up guys this is josh from keep it techy and today i wanted to show you guys how to secure your ubuntu 20.04 server using fail to ban now as i stated in the intro the video i want to walk you guys through setting up and configuring fail to ban on ubuntu server 28.04 and just to explain fail to ban is used as a intrusion detection system that can be installed on all linux servers what failed to ban does is monitor specific log files located in vorelog for failed login attempts or automated attacks on your server when these attempts are discovered from a specific ip address fail to ban will block the ips from gaining entry into your server and just so you know fail to ban leverages ip tables to block the suspected ips this is a great way of protecting your server because failed to ban can monitor multiple applications including ssh so let me go ahead and show you guys how to set this up okay guys so i have my virtual machine up and running is ubuntu 20.04 as you can see on the screen and the first thing you want to do before installing any package on ubuntu server is to update this system and so let's run those commands right fast so you guys can so you guys can see but let me log in first and the command to update is simply sudo apt updates and this will refresh all the repositories on the system that way we can have the latest and greatest updates in the repository so and then also as you can see all the packages are up to date so we don't need to run the upgrade command so i'm gonna back this off and just type in the installation and actually let me clear so i can put it up at the top the command to install any package on ubuntu is simply sudo apt install and then the package name which this package name is fail to ban and it's spelled f a a i l the number two and then ban and you can tab it out and press enter and this will go through and install failed to ban on your system has a few dependencies like who is uh in a python package uh just let those you know everything install so okay so now that the installation is complete let's go down and store it fail to ban service and as well as enabling it so it will start up on boot and the commands to do that is simply sudo system ctl and then start fail to ban and press enter and then as well as enable it so let's use that same command back i'll start just put enable and press enter and i'll actually enable feldeban so it'll start when we boot up the system okay so let me clear this right fast because the first thing i want to do is actually show you the log file that failed to banner be using for ssh because that's what we want to protect our server i'm going to have this server set up as a ssh server i want to be able be able to connect to that server from outside of my network so one thing you want to do is set up failed spam because if you've ever set up a ubuntu server in the past right when you give it access to the internet there are people that are going to scan that server and see if port 22 is open and they'll start running a brute force on that server so we want to prevent that before we open it up by configuring fail to ban but the first thing i want to do is show you these log files and what failed to ban uses is the authentication log so let me show you guys that so let's go sudo uh and actually let's just type tail uh dash f and then before we want to look at voilog and then the authentication logs as you can see that's the log that it'll actually use so whenever somebody connects via ssh and i'm gonna connect via ssh from my host machine just to show you guys what pops up in this authentication log when you when someone tries to ssh into the server so if we go ssh and then i already know what the ip address is what 192 168 dot 10.125 and press enter and then i'm gonna fully log into it and you should see you should see that log file update where it says josh created a new session so that's the way that works right there that authentication log tracks all authentications through ssh and fail to ban will filter out this this column where it says sshd and look for those connections it'll look for failed connections and depending on how many connections have failed from my ip address as you can see it tracks my iop address as well so 192.168.10.115 that's my host machine's ip address if i would have failed that connection while failed to ban was active and configured properly if i would have failed depending on how it's configured by typing in their own password or whatever uh it would block my iap address so that's in a nutshell how it works so let me go down and get in here and show you guys how to configure this so it'll block my ip if i fail so let's get out of this file and let's go to the configuration directory and i'm a cd to it so it's cd uh etc and then fail to ban this is the directory where all the configuration files are located so as you can see it's got you know some folders in here action id failed to band id those are just some folders because that's why they're blue but the main files we want to mess with is the jl.config which i'm not going to actually modify that file i'm gonna mod create a new file and i'm gonna create a gel dot local file so let's go down and create that now well before i do that let me go down and show you guys the fill to ban config so if we go let's go sudo nano uh fail2band dot conf and this is the configuration file you don't want to really mess around with this unless you know what you're doing but this is where the logs are stored for filterman so it'll create its own log file uh fail to band.log so that's there and we can get out of this and then the other configuration file i just want to show it to you guys but uh it's gel dot conf and press enter on that now this is the full configuration file now we don't have to mess with this uh we can actually create another file like i stated jl.local and we could just add in what we want but it'll still look at this file for things that we haven't put in the other files so you don't have to put all these configurations into the the jail file you can make it a whole lot simpler to track your changes by just creating a gel.local file and putting the changes in that file and it'll still use the gel.config it's just whatever you have in jail.local will be replaced will replace anything that you have in jail.config so let's get out of this file and let's go on and create that gel.config i mean that gel.local file so let's go sudo nano and then we want to just name it gel dot local and press enter and it's a specific format you have to put it in you have to put the application or service that you're trying to protect at the top and you have to put it in brackets and what we want to protect is sshd so let's type ssh d and then close that bracket and you'll see it change the color change so that let's you know that lets you know you're typing it in right and i always put a space but uh you start off by hitting it typing enabled and equals true so that's the first line and then we can go in and put the port for ssh and you don't have to put the port number you can just put ssh but we all know that the port for ssh is 22 and the system understands that as well so it knows to protect that port and then we have to put the filter now this is the filter that will be used when looking through the authentication logs uh and what we want to look for is ssh d and press enter and then the log path that we want to use is that authentication log that we were talking about so let's type log path no space and then equals we need to put the location of that log file which is war log and then off which is a uth dot log and press enter and then now the next thing we want to do is do put max tr retry so what this actually means is that uh this is the number of failed attempts that will be tolerated by failed to ban so if you you can specify whatever number you want you could be i think the default in the configuration file is three but um a lot on my production server i put two so you can put two failed attempts you can even put one fail attempt so if it if you fail one time then you'll get banned at that time and also be careful with this because if your ip you get man you gotta go to the server physically and log into the server uh especially if it's like a remote server or something you gotta go into the server and unban your ip address but that shouldn't be a problem for you guys because you already have ssh keys set up so you won't have any failed attempts and that's what i recommend people to do is go down and set up ssh keys that way you don't have to type in a password so if you type in a password wrong you know i'm saying you ain't got to worry about getting banned but i will show you guys how to ignore certain ips but anyway that's max retry and the last thing i like to add is the actual ban tom now i put the ban tom here even though you could configure it higher up in the other configuration file the gel dot config file you can put the time there and you don't have to put anything here but i like to keep them separate you know what i'm saying because it all depends on how how frequent the attempts login attempts are on a particular service then you know i'll kind of up the ban time that'll prevent people from actually that'll stop people from actually trying at least for a while you know what i'm saying and the default though is 600 seconds which is 10 minutes and so if you pull out your calculator you can calculate how much time you want to ban somebody so like i've on my production server i have it like set to 15 days so i put that number i calculated the amount of time uh because 3600 is an hour so that's an hour band and then 24 hours in the day you know what i'm saying and you can calculate that up to however many days you want to you know banner ip address if you want to and really all it's doing is slowing down the process you can't stop these people from running their little brute force program but this will slow them down and frustrate them enough to get them to stop trying to brute force your server but it doesn't matter if you have ssh configured properly where there's no root login as well as you can ban password login as well and only use ssh keys so this is just a extra bit of protection that will kind of slow them slow to the brute forcers down and kind of frustrate them enough to where they would just go down and stop but anyway i'll just leave it at 3600 and that's pretty much all we have to do to configure ssh for fail to man so we're going to we're going to go down and save this right fast so control x and then y for yes and it's going to save it in jail.local in that directory so if we ls let's see ls that directory we should see our gel.local file and there it is it's right next to config okay so let me cd and then clear as well and since we made changes to fail to ban we need to restore fail to ban so let's type in that command right now and it's sudo uh system ctl restore fail to ban dot service and cool so filter ban is started and we should have the the ssh configuration set up so one thing we could do is check the status of fail to man by using the fail to ban client which is built in is you know included in the actual file so if you type fail to ban and then we have the client and then let's just check the status so i'm gonna run it at the top level but you can obviously well you can specify the application that you want to look at so like let's say you have multiple applications that you're protecting using fail demand you could specify them by just typing like sshd that's the only one we have you know set up so you can just type fail to bear client status and that'll pull the fails man status but i also forgot you have to run it as uh root or pseudo so there you go so that gives you the status of the gels and it will obviously it'll show more information uh if you get down into the the actual application it'll show you a little bit more uh information it'll give you the files that is checking the currently amount failed uh attempts the total failed attempts as well as the currently banned total ban and banned the ip list so it'll list out all ip addresses okay so let me go down in and bam myself from my host machine using my host machine right fast let me uh open up a terminal right fast so i can ban myself on this server and okay so ssh192.168.10.125. all right cool and i'm not gonna type in that in a password i'm gonna do it twice and now it says permission to denied after two attempts so if i try to connect to it again and i know you guys can't see it uh it says connection refused so it looks as though the system is down uh to me and i'll i'll switch over so you guys can see that right fast hold on one second let's zoom in okay guys so you should be able to see my screen now but that's what happened i i just didn't type in the password for it uh twice and then it says permission deny right here and then it says connection refuse so each time i i run ssh against this uh server for an hour it'll say connection refuse so that's how it actually works now let me switch back over to the vm right fast so you guys can see um what it looks like in the fail to ban client okay cool so i'm back on the vm and let me run that same command again uh that pseudo failed to ban client status uh sshd press enter and as you can see two total failed uh and then currently banned one ip is banned which is my ip address on my host machine so that shows you that ssh works now you don't want to actually do this you know you don't want to ban accidentally ban yourself from logging into your system via ssh so i want to show you guys how to actually unban your system or your ip address from whatever system is trying to connect so let's say you're able to get into the server the first thing you want to do because most of the time when this thing is running you have a whole bunch of ip addresses we actually know what the ip address is that we're trying to you know unban but a lot of times you won't once you know this thing is up and running so the first thing you want to do is get the ip address and i'm going to use the iptables command uh iptables in and then dash well dash lowercase and dash capital l and if we press enter on that i forgot we have to type in pseudo when we're using it so let's type that in and let's pipe this into less that way we can scroll through it but as you can see this is what we're looking for we're looking for the rejected connections and it shows you the ip address to and this is what we want to look for we want to go through and look for the fail to ban ssh chain uh and you will see the rejection uh settings in there so if you look at reject uh it should show your ip address which i already know what it is but this is how you find it you can go into ip tables and find out what the ip address is and actually you know kind of copy it so since we know what it is uh i'm gonna just quit that and i want to go and show you guys how to unban something so let's type clear and let me walk you through the command so it's actually pseudo you have to type sudo and then fail to ban client and then we want to type set ssh d and then unban ip and then we need to type in that ip address so 192.168.10.115 and press enter and that'll unban that i p address so if we go back and look at status right fast and actually we could look at the at ip tables as well again just to see and you'll see under that chain uh fill ftb sshd you'll see that my ip address is not blocked anymore so if we type q to quit and then also let's go to sudo fail to ban client and then status then sshd and press enter you'll see that that ip address it shouldn't be banned anymore i know it's not banned anymore because as you can see it's not in uh ib tables anymore so it's it's it's banned that's showing you the total the total amount of ips that have been banned in the past and as you can see it says currently band zero so my ip address has been removed cool so i hope you guys enjoyed the video please like share and subscribe to the channel if you have any questions leave comments down in the comment boxes below and of course keep it techy [Music] you
Info
Channel: KeepItTechie
Views: 1,492
Rating: undefined out of 5
Keywords: SSH, fail2ban, bruteforce, attack, ipban, iptables, firewall, secure shell, LearnLinux, Linux, Tutorial, Review, Howto, Guide, Distribution, Distro, Learn Linux, operating system, os, open-source, open source, gnu\/linux, ubuntu, ubuntu 20.04, 20.04, ubuntu lts, preview, review, ubuntu 20.04 focal fossa, focal, fossa, ubuntu 20.04 lts, ubuntu linux 20.04, ubuntu review 2020, KeepItTechie, learn linux, linux, tutorial, linux command line
Id: kf-xbSKS5FI
Channel Id: undefined
Length: 21min 52sec (1312 seconds)
Published: Fri Jun 26 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.