Fighting dictionary attacks with Sshutout and Fail2ban
Closing the Book

© Andriy Solovyov, Fotolia
Services that require a username and password for login are potential targets for dictionary attacks. Sshutout and Fail2ban introduce time penalties for invalid attempts.
Sshutout [1] is a daemon written in C that checks a logfile for invalid SSH logins at frequent intervals. If Sshutout discovers a pattern of failed login attempts by a client, it blocks the client according to iptables rules. After a configurable delay, the penalty is automatically revoked.
Activating the Ban
All it takes to install the 32KB tarball is the usual make; make install.
The daemon is located in /usr/local/sbin after the install, and its configuration file is /etc/sshutout.conf.
The configuration file lets you configure a number of parameters. It is extremely important to specify the right name for the logfile that you want Sshutout to monitor. The name defaults to /var/log/messages, but many distributions write login information to other logfiles. On Ubuntu, for example, you would need this setting:
sshd_log_file = /var/log/auth.log
The threshold option specifies the LOS value (LOS = level of stupidity). In other words, it defines how many invalid login attempts a client can make before it is temporarily blocked. If you have a large number of passwords or a poor memory, you might want to increase this threshold (default = 4).
Lock-Out Time
The lock-out time is related to the threshold value. On the one hand, you need to prevent brute-force attacks as effectively as possible; on the other, it is not a good idea to lock out your users for hours on end just because they have difficulty remembering their passwords after a night on the town. The default value, five minutes, is a useful compromise: delay_penalty = 300.
This will give users enough time to drink a cup of coffee and refresh their memories. Alternatively, you can exclude known password forgetters from the outset. The configuration file has a whitelist line on which to enter names or IP addresses of hosts you don't want to lock out.
Sshutout also does some autonomous whitelisting. When launched, it outputs an overview of the current settings, including the following lines:
Whitelist: 213.133.98.97 10.0.0.254 10.0.0.214
This means that Sshutout's whitelist automatically excludes its own IP address, the default gateway address, and the name server. This shouldn't be too dangerous, but more cautious admins might want to change this behavior by specifying auto_whitelist = no.
Sshutout also logs its own activities in /var/log/sshutout.log by default. If a client is blocked, an entry for the client is written to the file:
10.0.0.42 blocked on Sat Feb 02 15:32:32 2008
iptables -L lets you view the underlying firewall rule (Figure 1). Finally, an exception handling function deals with cases in which a client initiates an SSH connection but does not make an entry, which commonly occurs in cases of denial-of-service attacks. Sshutout ignores these kinds of connections by default. The illegal_user = yes entry tells Sshutout to treat these like any other failed login attempt.
Fail2ban: All-Around Protection
Fail2ban [2] basically takes the same approach as Sshutout; however, it is not restricted to SSH. In fact, it can protect more or less any service that requires users to log in. Fail2ban makes its decisions on the basis of logfile entries, although it uses a different technical approach.
The tool is split into two components: a server and a client. The server monitors the logfiles and iptables rules. The administrator can use the client to issue commands to the server to change, for example, the logging level.
The jail.conf configuration file defines a number of services that Fail2ban can protect, with ssh heading the list:
[ssh] enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log maxretry = 6
The sections that follow contain parameters for other services. Each of these sections is a "jail" in Fail2ban-speak. The filter = sshd entry is equivalent to a file in the /etc/fail2ban/filter.d directory. The file contains a regular expression that the Fail2ban server searches for in the logfile. At this point you can't configure the duration of a lock-out because this value is set to 600 seconds in a global section, [DEFAULT]. If this is too long for your liking, you can add a bantime = 300 entry in the [ssh] section.
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
The GNU Project Celebrates Its 40th Birthday
September 27 marks the 40th anniversary of the GNU Project, and it was celebrated with a hacker meeting in Biel/Bienne, Switzerland.
-
Linux Kernel Reducing Long-Term Support
LTS support for the Linux kernel is about to undergo some serious changes that will have a considerable impact on the future.
-
Fedora 39 Beta Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.