Notes on Blocking Attacks Against Raspberry Pi SSH with Fail2Ban

Overview

I expose the SSH Server port so I can access my Raspberry Pi remotely, and when I looked at the logs, I saw that it was being attacked fairly often. Password login is disabled, so I could ignore it, but it felt unpleasant, so I configured Fail2Ban.

$ journalctl _COMM=sshd | grep "Invalid user"
Aug 11 09:23:53 pi4col sshd[1105]: Invalid user blank from 183.67.43.194 port 44130
Aug 11 09:44:30 pi4col sshd[1118]: Invalid user pi from 199.76.38.123 port 36840
Aug 11 09:44:30 pi4col sshd[1119]: Invalid user pi from 199.76.38.123 port 36844
Aug 11 09:45:33 pi4col sshd[1122]: Invalid user Admin from 138.75.192.20 port 52632
Aug 11 10:07:10 pi4col sshd[1197]: Invalid user blank from 61.83.254.100 port 38377
Aug 11 10:26:35 pi4col sshd[1268]: Invalid user nosubject from 152.136.41.3 port 55696
Aug 11 10:28:44 pi4col sshd[1270]: Invalid user admin from 121.7.26.195 port 50064
Aug 11 10:49:04 pi4col sshd[1282]: Invalid user babs from 81.70.27.122 port 45998
Aug 11 10:49:11 pi4col sshd[1284]: Invalid user zookeeper from 46.191.141.152 port 35283
...

What Is Fail2Ban?

Fail2Ban is a tool that checks access logs and bans addresses that repeatedly produce login errors, such as from brute-force attacks. This time, I use it to ban unauthorized SSH access.

Test Environment

Raspberry Pi 5 8GB RAM
Raspberry Pi OS

$ cat /proc/cpuinfo | grep Model
Model		: Raspberry Pi 5 Model B Rev 1.0

$ cat /etc/os-release PRETTY_NAME=“Debian GNU/Linux 12 (bookworm)” NAME=“Debian GNU/Linux” VERSION_ID=“12” VERSION=“12 (bookworm)” VERSION_CODENAME=bookworm ID=debian HOME_URL=“https://www.debian.org/" SUPPORT_URL=“https://www.debian.org/support" BUG_REPORT_URL=“https://bugs.debian.org/"

How to Install Fail2Ban

You can install it with apt.

$ sudo apt install fail2ban

It includes ssh settings from the start, but it did not start as-is.
It looks like it could not find the sshd log file.

~ $ systemctl status fail2ban
× fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Fri 2024-08-30 17:19:18 JST; 5min ago
   Duration: 134ms
       Docs: man:fail2ban(1)
    Process: 856603 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
   Main PID: 856603 (code=exited, status=255/EXCEPTION)
        CPU: 123ms

Aug 30 17:19:18 rpi5 systemd[1]: Started fail2ban.service - Fail2Ban Service. Aug 30 17:19:18 rpi5 fail2ban-server[856603]: 2024-08-30 17:19:18,447 fail2ban.configreader [856603]: WARNING ‘allowipv6’ not defined in ‘Definition’. Using default one: ‘auto’ Aug 30 17:19:18 rpi5 fail2ban-server[856603]: 2024-08-30 17:19:18,459 fail2ban [856603]: ERROR Failed during configuration: Have not found any log file for sshd jail Aug 30 17:19:18 rpi5 fail2ban-server[856603]: 2024-08-30 17:19:18,466 fail2ban [856603]: ERROR Async configuration of server failed Aug 30 17:19:18 rpi5 systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION Aug 30 17:19:18 rpi5 systemd[1]: fail2ban.service: Failed with result ’exit-code’.

Change the configuration. There is a setting for sshd, so add backend = systemd at the end.
This allowed fail2ban to start.

$ sudo vi /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
backend = systemd

$ sudo systemctl start fail2ban

$ sudo systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled) Active: active (running) since Sat 2024-08-31 22:55:11 JST; 1s ago Docs: man:fail2ban(1) Main PID: 88859 (fail2ban-server) Tasks: 5 (limit: 9252) CPU: 345ms CGroup: /system.slice/fail2ban.service └─88859 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Aug 31 22:55:11 rpi5 systemd[1]: Started fail2ban.service - Fail2Ban Service. Aug 31 22:55:11 rpi5 fail2ban-server[88859]: 2024-08-31 22:55:11,842 fail2ban.configreader [88859]: WARNING ‘allowipv6’ not defined in ‘Definition’. Using default one: ‘a> Aug 31 22:55:12 rpi5 fail2ban-server[88859]: Server ready

Check whether the jail is enabled.

 $ sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

After leaving it for a while and checking the logs, you can see that addresses are being banned. Ten minutes until unban may be too lenient, but I will watch the situation and adjust it.

$ cat /var/log/fail2ban.log | grep actions
2024-09-01 01:27:58,207 fail2ban.actions        [1933]: NOTICE  [sshd] Ban 198.144.156.34
2024-09-01 01:37:57,651 fail2ban.actions        [1933]: NOTICE  [sshd] Unban 198.144.156.34
2024-09-01 06:38:21,777 fail2ban.actions        [1933]: NOTICE  [sshd] Ban 45.118.144.54
2024-09-01 06:48:21,934 fail2ban.actions        [1933]: NOTICE  [sshd] Unban 45.118.144.54
2024-09-01 21:14:53,796 fail2ban.actions        [1933]: NOTICE  [sshd] Ban 222.65.9.218
2024-09-01 21:24:53,941 fail2ban.actions        [1933]: NOTICE  [sshd] Unban 222.65.9.218
Sponsored links
Follow ☆Geha☆