Hardening your PI: SSHD protection

      No Comments on Hardening your PI: SSHD protection

Steps to take to protect an internet-facing Raspberry PI (or other Debian) from brute-force SSH logins from subnets

Note: Fail2ban 0.10.2 on 2020/12/22

  1. Install firewall ufw and log analyzer fail2ban: (PiOS Buster: the sshd jail is enabled by default via /etc/fail2ban/jail.d/defaults-debian.conf)
  2. Copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local. This is the config you will be working with.
  3. Whitelist the localhost and your management machine or subnet (192.168.0.x) in /etc/fail2ban/jail.local:
  4. Optional: Limit the amount of allowed ssh logins failures  in /etc/fail2ban/jail.local: Note: You can also change the bantime to a different value.
  5. Change the rules to block entire subnets in these two files: Alter the lines for actionban and actionunban, adding /24 after the IP address (or any other subnet mask you require):
    actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype>
    actionunban = <iptables> -D f2b-<name> -s <ip>/24 -j <blocktype>
  6. Optional: Enable the Recidive jail (for long-term checking of login attempts).
    Review the warnings (copied from jail.conf): Edit /etc/fail2ban.conf, change dbpurgeage (648000 value has been taken from the warnings above): Edit /etc/fail2ban/jail.local, enable recidive:
  7. Restart fail2ban