Fail2Ban or DenyHosts to block invalid username SSH login attempts

networking security iptables fail2ban

11,518

Solution 1

I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.

Here's more detailed howto:

Install denyhosts package (sudo apt-get install denyhosts)

Look at the default configuration in /etc/denyhosts.conf, you might be interested in DENY_TRESHOLD_INVALID, DENY_TRESHOLD_VALID and DENY_TRESHOLD_ROOT options.

As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER option.

It's also not bad to set PURGE_DENY option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.

Solution 2

First, define the filter for invalid users in filter.d/sshd-invaliduser.conf:

[INCLUDES]
before = common.conf

[Definition]
_daemon = sshd

failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
ignoreregex = 

[Init]
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

Then enable it in jail.local:

[sshd-invaliduser]
enabled = true
maxretry = 1
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

This works with fail2ban 0.9.6-2 on Debian 9.

Solution 3

This is deliberately not supported in fail2ban:

In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?

A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.

I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?

Solution 4

Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.

In /etc/ssh/sshd_config, find the line containing PermitRootLogin. Edit that with whatever text editor, but make sure you use sudo/gksudo (gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no, then save, and do sudo service ssh restart.

(This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)

View more solutions

11,518

slayton1213

Updated on September 18, 2022

Comments

slayton1213 over 1 year
Is there a way to automatically block IP address when a user tries to login as any invalid username? I already have:
```
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
bantime = 31536000
```
in /etc/fail2ban/jail.conf
slayton1213 about 11 years

I do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
Thomas Ward about 11 years

@slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
slayton1213 about 11 years

yes this is correct.
Jacob Rodrigues over 5 years

What is the relevance of this to using fail2ban for SSH?
Chris Woods almost 5 years

This is an excellent answer, incredibly helpful. I augmented the failregex slightly to accommodate additional cases based on my SSH logs, as not everything was being caught. As well as the first line, I also use ^%(__prefix_line)sFailed password for invalid user .*? from <HOST>(?: port \d+)?\s*$, specified on a new line below the first (use spaces, not tabs, to align them to the right hand side of the = equals sign, to avoid python interpreter issues). To test, run fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd-invaliduser.conf.
Diagon almost 5 years

If they know there is no root user, then they will become aware that the search space is dramatically larger than they had hoped, and may stop harassing my machine by trying to login with that username. In fact, I'd be happy to let them know that there are no users using common usernames on my machine.
farhany almost 4 years

This is exactly what I was looking for. This takes care of the majority of connection attempts to my host with the general list of users like admin, sally, etc...