Fighting dictionary attacks with Sshutout and Fail2ban

Protection against DoS

SSH has two jails: the one just mentioned and sshd-ddos. This jail is not designed to prevent attempts to guess passwords, but to counter denial-of-service (DoS) attacks that open connections to the SSH daemon without entering a password.The logfile contains messages like this in case of a DoS attack:

sshd: Did not receive identification string from

Although you could configure multiple regular expressions per jail, many admins will prefer to assign different ban times for distributed DoS (DDoS) attacks as opposed to failed login attempts. That is, splitting this into the SSH and sshd-ddos categories makes a lot of sense.

The SSH jail is the only one set to enabled = true by default; all other jails – including sshd-ddos – have to be enabled manually.

Protection Scheme

If a user enters the wrong password multiple times, the results are similar to the Sshutout results: An iptables rule is triggered and locks out all connections from the offending computer for the next five minutes (Figure 2).

Figure 2: Fail2ban locks out a client attempting to establish a connection after a predefined number of invalid connection attempts.

Protection for other services follows the same pattern (Figure 3). If you have a number of login-protected web pages on your Apache web server, Fail2ban will give you a jail to match,

  enabled = false
  port = http,https
  filter = apache-auth
  logpath = /var/log/apache*/*access.log
  maxretry = 3

which you need to modify slightly. The Apache version that I run writes error messages to a separate error.log file, and not to access.log. After setting enabled = true, you can enable the jail.

Figure 3: Rules for Apache: Fail2ban can protect many different applications.

Tip: A more elegant approach than simply restarting the Fail2ban daemon, which could mean disabling active iptables rules, is to send the following command from the Fail2ban client to the server:

fail2ban-client start apache

This command tells the server to add the [apache] entry to the list of active jails. To try this out, I entered a number of invalid passwords, and a new iptables rule was activated.

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Fail2ban

    Fail2ban is a quick to deploy, easy to set up, and free to use intrusion prevention service that protects your systems from brute force and dictionary attacks.

  • Expert Security Intro

    Internet intruders have many ingenious ways of escalating privileges and hiding their presence once they get inside your system. The best protection is to keep them out in the cold.

  • Charly's Column

    Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

  • System Hardening

    A good reputation does not protect your Linux systems from attack. We'll show you some tips for detecting and warding off intruders.

  • Security Lessons: Windows Logging

    Windows 7 is pretty good at logging, but what do you do with all those log files? We look at some monitoring tools that can help you get the most out your logging data.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More