Steps to take to protect an internet-facing Raspberry PI (or other Debian) from brute-force SSH logins from subnets
Note: Fail2ban 0.10.2 on 2020/12/22
- Install firewall ufw and log analyzer fail2ban:
sudo apt update sudo apt install ufw fail2ban
(PiOS Buster: the sshd jail is enabled by default via /etc/fail2ban/jail.d/defaults-debian.conf) - Copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local. This is the config you will be working with.
- Whitelist the localhost and your management machine or subnet (192.168.0.x) in /etc/fail2ban/jail.local:
[Default] ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24
- Optional: Limit the amount of allowed ssh logins failures in /etc/fail2ban/jail.local:
[sshd] maxretry = 3
Note: You can also change the bantime to a different value. - Change the rules to block entire subnets in these two files:
/etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-allports.conf
Alter the lines for actionban and actionunban, adding /24 after the IP address (or any other subnet mask you require):actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype>
actionunban = <iptables> -D f2b-<name> -s <ip>/24 -j <blocktype>
- Optional: Enable the Recidive jail (for long-term checking of login attempts).
Review the warnings (copied from jail.conf):# !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) # to maintain entries for failed logins for sufficient amount of time
Edit /etc/fail2ban.conf, change dbpurgeage (648000 value has been taken from the warnings above):[Definition] dbpurgeage = 648000
Edit /etc/fail2ban/jail.local, enable recidive:[recidive] enabled = true
- Restart fail2ban
sudo service fail2ban restart