Secure your Cloud Server with Fail2Ban and SSH Hardening

Setting up your SSH config and Fail2Ban to automatically jail unauthorized IP addresses.

Jan 9th, 2021

Secure your Cloud Server with Fail2Ban and SSH Hardening

In a previous article I discussed how you can host a range of cloud services on your own private server. In this article I'm gonna discuss how you can secure your server a bit more using Fail2Ban and by configuring your SSH for top security. Unlike a traditional password capcha, SSH doesn't by default restrict the amount of times you can guess a password. This means hackers trying to access your server can use a brute-force attack to become the root user. This often involves running a password cracking tool like Hydra with a range of commonly used passwords.

I'm going to show you how to automatically ban IP addresses when they do this. If you want more details you can check out my video above.

The Technical Details

https://github.com/BiasedRiot/SaorTech-Cloud-Services

Fail2Ban is a service that detects when an IP address fails to login a certain number of times and bans them (puts them in a jail) for a specific amount of time. I created a basic shell script that automatically installs Fail2Ban and disables rootlogin with SSH. You can check out my script in the GitHub repo shown above or just run the below commands.

git clone https://github.com/BiasedRiot/SaorTech-cloud-services.git
cd SaorTech-cloud-services/security
sudo ./setup_ssh_security.sh

That's it for setting up Fail2Ban. If you want to make your server even more secure you should also remove the ability to log in with the users password. Instead you can add your public SSH key to the Authorised users so that it automatically authenticates you when you SSH into the user. It also makes it simpler to access as you don't have to type in that long password every time :)

First things first generate an SSH key on your local machine (I advice to create a new one if it isn't being used by other services. I had trouble using old SSH public keys).

ssh-keygen

Next thing to do is copy over your SSH key from your local machine. Remember to replace your user and IP address.

ssh-copy-id <user>@<server ip or domain>

Finally just edit the sshd config file on your server. It should be under /etc/ssh/sshd_config and make sure it has the following lines.

PasswordAuthentication no
PubkeyAuthentication yes

That's basically it. Just restart the sshd service on your server and you should be good to go. Now not only will it be impossible for users to log into your server (youself included) unless they know your SSH private key but anyone who does try will be banned for a day. You can rest assure that your server will be a little bit safer from hackers.

Stay happy and stay private.