Overview
I expose the SSH Server port so I can access my Raspberry Pi remotely, and when I looked at the logs, I saw that it was being attacked fairly often. Password login is disabled, so I could ignore it, but it felt unpleasant, so I configured Fail2Ban.
$ journalctl _COMM=sshd | grep "Invalid user"
Aug 11 09:23:53 pi4col sshd[1105]: Invalid user blank from 183.67.43.194 port 44130
Aug 11 09:44:30 pi4col sshd[1118]: Invalid user pi from 199.76.38.123 port 36840
Aug 11 09:44:30 pi4col sshd[1119]: Invalid user pi from 199.76.38.123 port 36844
Aug 11 09:45:33 pi4col sshd[1122]: Invalid user Admin from 138.75.192.20 port 52632
Aug 11 10:07:10 pi4col sshd[1197]: Invalid user blank from 61.83.254.100 port 38377
Aug 11 10:26:35 pi4col sshd[1268]: Invalid user nosubject from 152.136.41.3 port 55696
Aug 11 10:28:44 pi4col sshd[1270]: Invalid user admin from 121.7.26.195 port 50064
Aug 11 10:49:04 pi4col sshd[1282]: Invalid user babs from 81.70.27.122 port 45998
Aug 11 10:49:11 pi4col sshd[1284]: Invalid user zookeeper from 46.191.141.152 port 35283
...What Is Fail2Ban?
Fail2Ban is a tool that checks access logs and bans addresses that repeatedly produce login errors, such as from brute-force attacks. This time, I use it to ban unauthorized SSH access.
Test Environment
Raspberry Pi 5 8GB RAM
Raspberry Pi OS
$ cat /proc/cpuinfo | grep Model
Model : Raspberry Pi 5 Model B Rev 1.0
$ cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 12 (bookworm)”
NAME=“Debian GNU/Linux”
VERSION_ID=“12”
VERSION=“12 (bookworm)”
VERSION_CODENAME=bookworm
ID=debian
HOME_URL=“https://www.debian.org/"
SUPPORT_URL=“https://www.debian.org/support"
BUG_REPORT_URL=“https://bugs.debian.org/"
How to Install Fail2Ban
You can install it with apt.
$ sudo apt install fail2banIt includes ssh settings from the start, but it did not start as-is.
It looks like it could not find the sshd log file.
~ $ systemctl status fail2ban
× fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Fri 2024-08-30 17:19:18 JST; 5min ago
Duration: 134ms
Docs: man:fail2ban(1)
Process: 856603 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
Main PID: 856603 (code=exited, status=255/EXCEPTION)
CPU: 123ms
Aug 30 17:19:18 rpi5 systemd[1]: Started fail2ban.service - Fail2Ban Service.
Aug 30 17:19:18 rpi5 fail2ban-server[856603]: 2024-08-30 17:19:18,447 fail2ban.configreader [856603]: WARNING ‘allowipv6’ not defined in ‘Definition’. Using default one: ‘auto’
Aug 30 17:19:18 rpi5 fail2ban-server[856603]: 2024-08-30 17:19:18,459 fail2ban [856603]: ERROR Failed during configuration: Have not found any log file for sshd jail
Aug 30 17:19:18 rpi5 fail2ban-server[856603]: 2024-08-30 17:19:18,466 fail2ban [856603]: ERROR Async configuration of server failed
Aug 30 17:19:18 rpi5 systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION
Aug 30 17:19:18 rpi5 systemd[1]: fail2ban.service: Failed with result ’exit-code’.
Change the configuration. There is a setting for sshd, so add backend = systemd at the end.
This allowed fail2ban to start.
$ sudo vi /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
backend = systemd
$ sudo systemctl start fail2ban
$ sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Sat 2024-08-31 22:55:11 JST; 1s ago
Docs: man:fail2ban(1)
Main PID: 88859 (fail2ban-server)
Tasks: 5 (limit: 9252)
CPU: 345ms
CGroup: /system.slice/fail2ban.service
└─88859 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Aug 31 22:55:11 rpi5 systemd[1]: Started fail2ban.service - Fail2Ban Service.
Aug 31 22:55:11 rpi5 fail2ban-server[88859]: 2024-08-31 22:55:11,842 fail2ban.configreader [88859]: WARNING ‘allowipv6’ not defined in ‘Definition’. Using default one: ‘a>
Aug 31 22:55:12 rpi5 fail2ban-server[88859]: Server ready
Check whether the jail is enabled.
$ sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshdAfter leaving it for a while and checking the logs, you can see that addresses are being banned. Ten minutes until unban may be too lenient, but I will watch the situation and adjust it.
$ cat /var/log/fail2ban.log | grep actions
2024-09-01 01:27:58,207 fail2ban.actions [1933]: NOTICE [sshd] Ban 198.144.156.34
2024-09-01 01:37:57,651 fail2ban.actions [1933]: NOTICE [sshd] Unban 198.144.156.34
2024-09-01 06:38:21,777 fail2ban.actions [1933]: NOTICE [sshd] Ban 45.118.144.54
2024-09-01 06:48:21,934 fail2ban.actions [1933]: NOTICE [sshd] Unban 45.118.144.54
2024-09-01 21:14:53,796 fail2ban.actions [1933]: NOTICE [sshd] Ban 222.65.9.218
2024-09-01 21:24:53,941 fail2ban.actions [1933]: NOTICE [sshd] Unban 222.65.9.218