How To Protect Ubuntu With fail2ban

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone this is tony teaches tech i'm tony and in this video i'm going to show you how to use fail to ban to prevent brute force attacks on your system now this will work for any unix operating system but i'm going to be using ubuntu in this tutorial and the way that fail2ban works is that it monitors your log files for authentication failures and if it sees a certain number of authentication failures over a certain protocol from a certain ip address it'll actually create a firewall rule to block that ip address from accessing that from accessing your remote server so um and and this is all configurable and what i'm going to show you in this video is how to configure uh this some of these basic settings for specifically ssh in this case so if that's something you want to learn how to do let's go ahead and get on into the tutorial here okay so i'm on my remote server here via ssh at this ip address and the first thing is to install field to ban so let's do an app to install fail to ban and this will go ahead and install that type y to continue and that'll take up just about two megabytes of space here um that was really quick um what let's just check the status let's do a system ctl status fail to ban and by default it is up and running now there are some configuration files in so let's go into the etc fail to ban directory and in here you'll see um fieldtubeband.com and you'll see jail.com now for each one of these it's recommended that you create a copy of it with a dot local extension so for example we can copy fail to ban dot conf and rename it to failedto band.local and the other important one is jail.com so copy jail.conf and make a jail.local file and we want to make sure we put the f here okay so basically the reason we do that is because then it says it in the the the comments section in each one of these configuration files that um if there is an update to fail to ban it could potentially overwrite the main configuration file so it's better to make a copy of them in a local file and that's what field to ban is actually going to look at those local files here so let's look at uh jail.local here and uh what you can see up here at the top what i want to point out is that by default ssh is enabled so right off the bat um if we let's get out of here and if we do a fail to ban dash client status you'll see that sshd is enabled and the terminology they're using here is jail so the the number of um lists the number of jails is one at this point i should say so let's go back into the jail.local and let's start down let's start down in the ssh daemon section so by default like you saw up top that was enabled let's go back up there and show you that again just to understand this so if we wanted to explicitly enable this we can type enabled equals true under this sshd section so there's this is broken up into different sections based on the application so dropbear has its own section apache auth has its own section uh but again in this tutorial we're just going to um focus on sshd ssh daemon so again if we wanted to enable dropper we can do enabled equals true but again we're not doing that in here so with this enabled let's look at let's go back up to the top of the file and right up here within the first few lines you'll see a very important series of configuration options so we have band time find time and max retry so basically what these options are saying is that if you experience five failures authentication failures via ssh within 10 minutes of time that ip address is going to be banned for 10 minutes okay so these are configurable to whatever you want them to be i think for just the sake of this demonstration we'll change this to max retries of two it will keep 10 minutes within a 10 minute period of time and they'll be banned for 10 minutes so uh let's save that and let's do a test um and again if we look at the status that will still be enabled that jail so what we want to do is open up a well i actually already have another uh remote ssh session here at this ip address and we can kind of monitor what's going on here so let's try to log into this server over here via ssh and we're gonna purposely fail to log in by providing the wrong credentials so let's do ssh root at 23.92.26.196. hit enter we'll type in a fake password hit enter type in a fake password hit enter permission denied another fake password hit enter now the thing that i thought was interesting when i first came across failed to ban was that only counts as one incorrect attempt to log in via ssh even though we get like three tries technically this is only one authentication attempt because i guess separately you can configure ssh how many different attempts you want but from failed to bans perspective this was just one attempt right so we have to do that again so let's go through that type in a fake password type in another fake password and one last time hit enter and at this point we should now our ip address should now be blacklisted and we should not be able to even get to the the prompt for a password at this point so let's try that uh this one last time here so ssh root at the eip address and it is asking us for a password so i'm curious why that's the case let's look at the log on the server side here let's look at the fail to ban log file and you'll see down here if we make this a little bit bigger that it is indeed supposed to be banning this ip address via ssh so i'm curious why that's even allowing us to prompt us for a password and maybe maybe i just did that maybe i beat the firewall to it because it looks like it's timing out now so um ssh root yes so now now it's refusing the connection so i was just a little bit quicker than failed to ban in this case so yeah as you can see in the log file here it found all of our authentication failures and from this ip address and it ended up banning us so for the next 10 minutes this ip address won't be able to even access the ssh protocol it's going to refuse that connection thanks to fail to ban definitely configurable you can up or down or change those values however you want i do want to point out a few other things here so let's go back into the jail.local file also in here you have ignore ip igno ignore ip so right here oops sorry about that if you uncomment this line and give it your ip address so i won't give it this one but just say your ip address is 53.23.192.54 something like that then you won't be affected by the rules that you create because you can you can fail as many times as you want logging in via ssh but it doesn't matter because you're on the white list it's not gonna these rules won't apply to you so that i just want to make you aware of that and also i want to make you aware of the destmail dest email option here so if there is an authentication failure um based on how many times you have defined in this jail.local file and it ends up banning an ip address then you can be notified via email that that had to happen now if there's a lot of attempts on your server you might not want to be notified by email but if it's more a smaller server with not too many attempts it might be good to know that that happened without coming into your system and looking at the logs so you can simply type your ip address here tony tony teaches tech and then that'll send an email to you you just have to make sure that you apt install the send mail command on your system um i think that's about it paula i wanted to go through with you guys in this video today if you have any questions about fail2ban let me know in the comments below this wasn't meant to be a comprehensive video but more of an introduction to fail to ban and some basic security settings that you can apply um if you want to see more ubuntu dbn security settings check out some of these videos over here how to lock down and harden your system i want to thank you guys for watching please like this video if you got some value out of it subscribe for more videos like this for me in the future and if you do i'll see you in the next [Music] one
Info
Channel: Tony Teaches Tech
Views: 2,517
Rating: undefined out of 5
Keywords: fail2ban, fail2ban ubuntu, fail2ban config, fail2ban log, fail2ban ssh, fail2ban nginx, install fail2ban, fail2ban setup
Id: YQEOALeixxY
Channel Id: undefined
Length: 9min 43sec (583 seconds)
Published: Mon Apr 26 2021
Related Videos
Securing your Cloud Server with Fail2ban
LearnLinuxTV
7.8K
SSH Brute Force Protection With Fail2Ban
HackerSploit
24K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
you need to learn Virtual Machines RIGHT NOW!! (Kali Linux VM, Ubuntu, Windows)
NetworkChuck
3.2M
Using My Python Skills To Punish Credit Card Scammers
Engineer Man
2.1M
Chemical Curiosities: Surprising Science and Dramatic Demonstrations - with Chris Bishop
The Royal Institution
3.2M
iptables Demystified - Port Redirection and Forwarding HTTP Traffic to another machine (part 1)
Hussein Nasser
19K
10 Tips for Hardening your Linux Servers
LearnLinuxTV
14K
How to protect Linux from Hackers // My server security strategy!
The Digital Life
41K
The REAL story About the Crash that Killed Concorde! | Air France flight 4590
Mentour Pilot
4.3M
The COMPLETE Linux Hardening, Privacy & Security Guide!
Techlore
30K
Fail2Ban | Protect Ubuntu 20.04 server from Brute Force Attacks
KeepItTechie
1.4K
Docker and Firewalls - Docker wants to punch holes in the local firewall, let's mitigate that issue
Awesome Open Source
3K
Fail2ban Tutorial | How to Secure Your Server
Linode
17K
How does a USB keyboard work?
Ben Eater
1M
Cracking Enigma in 2021 - Computerphile
Computerphile
1.3M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.