Steps to take to protect an internet-facing Raspberry PI (or other Debian) from brute-force SSH logins from subnets
Note: Fail2ban 0.10.2 on 2020/12/22
- Install firewall ufw and log analyzer fail2ban:
(PiOS Buster: the sshd jail is enabled by default via /etc/fail2ban/jail.d/defaults-debian.conf)12sudo apt updatesudo apt install ufw fail2ban
- Copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local. This is the config you will be working with.
- Whitelist the localhost and your management machine or subnet (192.168.0.x) in /etc/fail2ban/jail.local:
12[Default]ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24
- Optional: Limit the amount of allowed ssh logins failures in /etc/fail2ban/jail.local:
Note: You can also change the bantime to a different value.12[sshd]maxretry = 3
- Change the rules to block entire subnets in these two files:
Alter the lines for actionban and actionunban, adding /24 after the IP address (or any other subnet mask you require):12/etc/fail2ban/action.d/iptables-multiport.conf/etc/fail2ban/action.d/iptables-allports.conf
actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype>actionunban = <iptables> -D f2b-<name> -s <ip>/24 -j <blocktype> - Optional: Enable the Recidive jail (for long-term checking of login attempts).
Review the warnings (copied from jail.conf):Edit /etc/fail2ban.conf, change dbpurgeage (648000 value has been taken from the warnings above):123456# !!! WARNINGS !!!# 1. Make sure that your loglevel specified in fail2ban.conf/.local# is not at DEBUG level -- which might then cause fail2ban to fall into# an infinite loop constantly feeding itself with non-informative lines# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)# to maintain entries for failed logins for sufficient amount of timeEdit /etc/fail2ban/jail.local, enable recidive:12[Definition]dbpurgeage = 64800012[recidive]enabled = true - Restart fail2ban
1sudo service fail2ban restart
Share