Fail2Ban or DenyHosts to block invalid username SSH login attempts
Solution 1
I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.
Here's more detailed howto:
Install denyhosts
package (sudo apt-get install denyhosts
)
Look at the default configuration in /etc/denyhosts.conf
, you might be interested in DENY_TRESHOLD_INVALID
, DENY_TRESHOLD_VALID
and DENY_TRESHOLD_ROOT
options.
As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER
option.
It's also not bad to set PURGE_DENY
option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.
Solution 2
First, define the filter for invalid users in filter.d/sshd-invaliduser.conf
:
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
Then enable it in jail.local
:
[sshd-invaliduser]
enabled = true
maxretry = 1
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
This works with fail2ban 0.9.6-2 on Debian 9.
Solution 3
This is deliberately not supported in fail2ban
:
In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?
A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.
I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?
Solution 4
Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.
In /etc/ssh/sshd_config
, find the line containing PermitRootLogin
. Edit that with whatever text editor, but make sure you use sudo
/gksudo
(gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no
, then save, and do sudo service ssh restart
.
(This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)
Related videos on Youtube
slayton1213
Updated on September 18, 2022Comments
-
slayton1213 over 1 year
Is there a way to automatically block IP address when a user tries to login as any invalid username? I already have:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 31536000
in
/etc/fail2ban/jail.conf
-
slayton1213 about 11 yearsI do have that setting enabled however what I'm attempting to do is remove all unnecessary traffic to the server. I'm attempting to have an IP address banned after 3 attempts from using a wrong username, including root. I have had attempts to login with usernames like harry potter, sally... etc.
-
Thomas Ward about 11 years@slayton1213 Based on your comment, I have revised your question and what it is asking, to be more specific to what your actual goal is. Please confirm I got that right.
-
slayton1213 about 11 yearsyes this is correct.
-
Jacob Rodrigues over 5 yearsWhat is the relevance of this to using fail2ban for SSH?
-
Chris Woods almost 5 yearsThis is an excellent answer, incredibly helpful. I augmented the failregex slightly to accommodate additional cases based on my SSH logs, as not everything was being caught. As well as the first line, I also use
^%(__prefix_line)sFailed password for invalid user .*? from <HOST>(?: port \d+)?\s*$
, specified on a new line below the first (use spaces, not tabs, to align them to the right hand side of the = equals sign, to avoid python interpreter issues). To test, runfail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd-invaliduser.conf
. -
Diagon almost 5 yearsIf they know there is no root user, then they will become aware that the search space is dramatically larger than they had hoped, and may stop harassing my machine by trying to login with that username. In fact, I'd be happy to let them know that there are no users using common usernames on my machine.
-
farhany almost 4 yearsThis is exactly what I was looking for. This takes care of the majority of connection attempts to my host with the general list of users like admin, sally, etc...