Hardening your PI: SSHD protection

      No Comments on Hardening your PI: SSHD protection

Steps to take to protect an internet-facing Raspberry PI (or other Debian) from brute-force SSH logins from subnets

Note: Fail2ban 0.10.2 on 2020/12/22

  1. Install firewall ufw and log analyzer fail2ban:
    sudo apt update
    sudo apt install ufw fail2ban
    (PiOS Buster: the sshd jail is enabled by default via /etc/fail2ban/jail.d/defaults-debian.conf)
  2. Copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local. This is the config you will be working with.
  3. Whitelist the localhost and your management machine or subnet (192.168.0.x) in /etc/fail2ban/jail.local:
    ignoreip = ::1
  4. Optional: Limit the amount of allowed ssh logins failures  in /etc/fail2ban/jail.local:
    maxretry = 3
    Note: You can also change the bantime to a different value.
  5. Change the rules to block entire subnets in these two files:
    Alter the lines for actionban and actionunban, adding /24 after the IP address (or any other subnet mask you require):
    actionban = <iptables> -I f2b-<name> 1 -s <ip>/24 -j <blocktype>
    actionunban = <iptables> -D f2b-<name> -s <ip>/24 -j <blocktype>
  6. Optional: Enable the Recidive jail (for long-term checking of login attempts).
    Review the warnings (copied from jail.conf):
    # !!! WARNINGS !!! 
    # 1. Make sure that your loglevel specified in fail2ban.conf/.local 
    # is not at DEBUG level -- which might then cause fail2ban to fall into 
    # an infinite loop constantly feeding itself with non-informative lines 
    # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) 
    # to maintain entries for failed logins for sufficient amount of time
    Edit /etc/fail2ban.conf, change dbpurgeage (648000 value has been taken from the warnings above):
    dbpurgeage = 648000
    Edit /etc/fail2ban/jail.local, enable recidive:
    enabled = true
  7. Restart fail2ban
    sudo service fail2ban restart