10

I currently block all ssh logins using root. But I wanted to go the extra mile and block the ip address of the client who tried to login as root. I currently have denyhosts and fail2ban setup and working, can I use denyhosts and or fail2ban to block the ip addresses of those who try to login as root?

samwell
  • 339
  • 1
  • 6
  • 13

4 Answers4

21

Copy this code into a new file /etc/fail2ban/filter.d/sshd-root.conf:

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)sFailed (?:password|publickey) for root from <HOST>(?: port \d*)?(?: ssh\d*)?$

ignoreregex =

PLEASE BE AWARE that you may have to edit the failregex to accurately identify failing root login attempts - use:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd-root.conf

to test that it identifies the correct log entries.

Then you need to edit your jail.local to make use of the new filter - add something like:

[ssh]

enabled  = true
port     = 1:65535
filter   = sshd-root
logpath  = /var/log/auth.log
bantime  = 604800
maxretry = 3

Obviously you should adjust these values according to your needs. The settings above will drop all incoming packets from the offending IP address after three attempts to log on as root, and will release the IP again after one week.

ChrisG
  • 211
  • 2
  • 3
  • 3
    This really deserves to be the accepted answer, since it actually answers the question. – peelman Jun 11 '15 at 11:31
  • This is definitely the correct answer. Best to disable root logins in sshd config and then set maxretry to 1 in jail.conf. – anteatersa Mar 03 '16 at 17:43
2

Depending on your distribution, edit /etc/fail2ban/jail.conf Update the [ssh] section to show something like this

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
bantime = 3600
maxretry = 3

Change the parameters as required. It won't specifically block root, but every attempt that fails. Be careful with maxretry and the bantime. If you fail with your own password, while maxtretry set to low, you block yourself for the bantime. Restart fail2ban.

I wouldn't try to block the IP forever as a lot of attempts come from dynamic IPs which could block some legitim users at a later point of time.

(Some distributions offer a jail.options file for your modifications. This is the preferred place to put your changes to as it shouldn't be affected by updates overwriting the conf.)

Chris
  • 1,155
  • 2
  • 9
  • 18
  • 4
    good info, but i think he wanted to know how to block all logins using user root... can't see that in your answer. maybe you forgot that. – Mose Dec 14 '11 at 14:47
1

Since the default /etc/fail2ban/filter.d/sshd.conf already has a regex for AllowUsers and DenyUsers...

...
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
...

The following will:

  • Allow connections from exampleusername from external IPs
  • And root or any connections on local network (192.168.0.*)

The line `/etc/ssh/sshd_config':

AllowUsers exampleusername *@192.168.0.* *@localhost *@127.0.0.1

And in /etc/fail2ban/jail.conf :

ignoreip = 127.0.0.1/8 192.168.0.2/255
...
...
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 1
findtime = 99999999 
bantime  = 99999999
jmunsch
  • 123
  • 5
0

How did you block ssh logins? /bin/false or the sshd_config DenyUsers option?

I can't think of an answer out of my head, but IIRC denyhosts parses the log file, so just see if you get a failed entry in the log file after some one tries to log in to root with it disabled

MitziMeow
  • 119
  • 3
  • 2
    I edited the ssh config file, `/etc/ssh/sshd_config`, and changed `PermitRootLogin` from yes to no. I don't know if this is relevant, but I do have rssh installed to only allow certain users to login using sftp but not allow ssh. – samwell Dec 13 '11 at 18:38
  • did you check the ssh log files if it has the failed user log in attempt? – MitziMeow Dec 13 '11 at 19:47
  • Yes, I can see that there are many failed user login attempts by many different ip addresses, which I don't recognize. – samwell Dec 13 '11 at 19:50
  • then denyhosts should work – MitziMeow Dec 14 '11 at 06:01