Prevent Brute-Force SSH Attacks With fail2ban

Today’s article is one I could have already written and it’s about how to prevent brute-force SSH attacks with fail2ban. The reason I haven’t written it yet is because it either has too much substance or too little substance. I think I can strike a middle-of-the-road here and write an article with just enough substance.

See, and we’ll get to this later in the article, most folks won’t need to do a whole lot more than just install it. You can configure it a great deal, but the defaults are just fine for most people. On top of that, you can even make fail2ban send you email reports but we won’t be covering that in this article. Instead, we’ll largely have directions for installing fail2ban so that you can “prevent” brute-force attacks via SSH. I put the “prevent” in quotes because a diligent attacker could time things, use varied IP addresses, and try brute forcing your login credentials.

I think we need to start at the beginning.

What is SSH:

SSH stands for “Secure Shell” and is a tool to connect to a server remotely. If you check the man page for SSH it is defined as:

ssh — OpenSSH remote login client

This allows you to connect two computers over the terminal. It also comes with SFTP so that you can securely transfer files. You can do a whole lot more with SSH, including forwarding the graphical environment.

Here are a few SSH articles:

Install SSH to Remotely Control Your Linux Computers
Check Your SSH Server Configuration
Show Failed SSH Login Attempts

Then, there are a whole lot more SSH articles. I love SSH, so there have been quite a few articles on the subject. It’s a tool that I use quite often. I encourage familiarity with SSH as it’s sometimes a useful tool to effect a repair on a computer that is otherwise unresponsive to local inputs.

Servers are typically managed with SSH. As you can imagine, servers are a juicy target for malicious people. This means that SSH is a means with which malicious people will use to attack servers. One of the ways they do that is with ‘brute-force’.

What is Brute-Force:

There are many ways that one can try brute-forcing something. The name is as it implies. Rather than knowing the login credentials, they try to brute force them. That means they’ll try one combination of username and password and then keep trying various combinations until they eventually crack the system and figure out the login information.

That is the goal. Their goal is to find the login credentials. Instead of finesse, they use brute force.

This can include a dictionary attack. This can include a progressive attack where they start at the letter a, then try aa, then try aaa, etc. until they find the login credentials. They may also have a list of commonly used usernames and passwords and will systemically work their way through this until they find their way in.

This is one of many attacks and a modern computer can make many attempts in a short amount of time. Add to this modern bandwidth speeds and you can get thousands of attacks in just a short amount of time. It goes even faster if they know one part of the data, such as the username of a privileged account.

Enter fail2ban:

If you’re using a major distro, you have fail2ban available, one way or another. It’s usually easily installed and in your default repositories. When you do install it, you can check the man page. However, fail2ban is described as:

fail2ban – a set of server and client programs to limit brute force authentication attempts.

So, as you can see, fail2ban is the correct tool for the job. After all, and as the headline suggests, we’re trying to prevent brute-force SSH attacks with fail2ban.

Installing fail2ban:

We’ll be using a terminal to install fail2ban. You may also need to remotely connect to the server on which you want to install fail2ban. That too will require a terminal (or some SSH application like PuTTY). Simply press CTRL + ALT and your default terminal should open. If not, you can open a terminal from your application menu.

With your terminal now open, we can install fail2ban.

Debian/Ubuntu/etc:

RHEL/CentOS/etc:

Fedora with dnf:

I believe those are correct. That’s what is in my notes. If they’re not correct, please leave a comment and I’ll update the article. Other distros will have fail2ban available, just search your default repositories and you’ll likely find fail2ban available for installation.

Using fail2ban:

Now that you’ve installed fail2ban, you’re pretty much done. The default configuration is pretty much all you need – but you can customize it. There are a bunch of options available, so you can configure fail2ban in many ways. There are so many ways that we won’t be covering them. They’re reasonably obvious.

Once installed, fail2ban should start automatically. If it doesn’t, run this command to start it:

Next, we’ll make sure to enable fail2ban to start at boot time. That’s this command:

I assume that you’ll want to at least examine the configuration files and I’ll get you started with that. The first thing you want to do is cd to the right directory.

If you run ls you’ll see that there’s a file called jail.conf and you do not want to edit this file itself. Instead, fail2ban will look for configurations in a file called jail.local first. To make that file, you run the following command:

sudo cp jail.conf jail.local 

Next, you might want to make a backup of that jail.local file. 

You can now use Nano to edit your fail2ban configurations:

As you can now see, there are a bunch of options available. They’re far too many to explain here but they’re fairly well described. If any of the options confuse you, you can get help on the man page (man fail2ban ).

After you’ve set fail2ban’s configuration files the way you want them, you’ll need to restart the service for the changes to take effect. That’s done like this:

If you screw up the configuration, just remove the jail.local with this command:

Then restore from your backup like this:

Then, of course, restart the service with this command:

There are a lot of options with this application. You can explore them at your leisure, though I find the defaults to be adequate for most of my needs. As mentioned above, you can install sendmail and have the system send you notification emails. There are many other options as well.

Closure:

Like I said in the beginning, there’s a lot of substance with fail2ban. There’s a lot to it. If I added more to the article, it’d end up quite long. I may write a bit more about this application, but I don’t want to end up with a 2500-word article that will make your eyes gloss over. That doesn’t do me any good and it doesn’t do most people any good. Most folks are going to be fine with the basics before they explore the configuration options on their own.

If you do have a server (or even a personal computer) that’s running SSH, it’s worth your time to install fail2ban. If there’s any chance that someone can try to brute-force your system, they will.

Some bots crawl the ‘net looking for servers that respond on the default SSH ports. They can and will find you. You can also change the port SSH uses for some added obscurity (but remember that obscurity isn’t really security). So, it’s a good idea to prevent brute-force SSH attacks with fail2ban. Yes, it’s a good idea even for us ‘little guys’ who aren’t running servers with valuable information on them.  

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Change DNS Servers

Today’s article shouldn’t be all that difficult for even our newest users but is limited to those who want to change DNS servers to something other than the default. This is easy enough to do, but obscure enough to warrant an article of its own. 

First, let’s have some fun. I’m going to ask ChatGPT to tell you about DNS in just two paragraphs. So, let’s see what the AI has to say:

First, what is DNS?

DNS, or the Domain Name System, is a fundamental protocol used in computer networks to translate human-readable domain names into machine-readable IP addresses. It serves as a decentralized directory system that enables users to access websites, send emails, and perform various network activities using familiar domain names instead of numerical IP addresses. When a user enters a domain name in their web browser, the DNS resolver (typically provided by the Internet Service Provider or ISP) initiates a series of queries to locate the corresponding IP address. The resolver communicates with DNS servers, starting from the root servers, then the top-level domain servers, and finally the authoritative name servers associated with the requested domain. Through this hierarchical process, DNS ensures efficient and accurate resolution of domain names, facilitating seamless internet connectivity.

DNS operates through a distributed database system known as the DNS namespace. This namespace is organized hierarchically, with the root domain at the top, followed by top-level domains (TLDs) like .com, .org, or country-specific domains such as .us or .uk. Beneath the TLDs, there are second-level domains, and further subdivisions like subdomains. Each domain has authoritative name servers that store the IP addresses associated with the domain names they manage. DNS resolution occurs through recursive queries, where the resolver traverses the DNS hierarchy to find the authoritative name servers responsible for the domain. Once the IP address is obtained, the resolver caches it for future use, reducing the need for repetitive queries. DNS plays a crucial role in the functioning of the internet by providing a scalable and efficient method for translating domain names to IP addresses, enabling seamless communication and accessibility across the network.

Wow! That’s pretty accurate. I’d have just resorted to describing DNS as the telephone book of the internet. You look up the name you want to reach and DNS tells you the number. In this case, the number is the IP address.

All in all, I’d say ChatGPT did a pretty fine job.

Change DNS Servers:

There are a variety of reasons why someone would want to change DNS servers to something else. They may get updated more quickly, weed out junk domains, or even remove ads and things like that. Maybe you want to weed out inappropriate material because you have children. Perhaps you have some custom configurations needed to traverse your complex local network. There are all sorts of reasons why you might want to change DNS servers.

See, as alluded to above, it’s perfectly possible to run your own DNS server (see Pi-hole for one such example). You can also use DNS servers provided by various third parties. For example, CloudFlare and Google offer their own DNS servers that are free for you to use. There are other choices, but this isn’t an encyclopedia writ large, so I’m going to just include those two. You can use your favorite search engine to find more.

So, let’s say you don’t like using a DNS server provided by your ISP. Perhaps you do this because of privacy issues, though you can look into DNS over HTTPS if you’d like. Perhaps you just don’t find them updated quickly enough or you’ve found they contain errors. (They do sometimes have issues and have even been known to be exploited in the past.)

NOTE: We’ll be using ‘nano‘ for this exercise. We’ll also default to Google’s public DNS servers, but you can substitute with whatever you find available.

Well, the first step you’re going to take is opening your terminal. You can do that by just pressing CTRL + ALT + T. In most distros, that will open the default terminal emulator. If your distro doesn’t do so, start mucking about with the keybindings until it does!

The file we’ll be editing doesn’t actually exist on most distros. That’s not a problem, because we’ll be making that file with nano. With your terminal open, enter the following command:

That should be a perfectly blank file and you’ll want to enter the following (again, using Google’s public DNS servers) to change DNS servers:

Then, you’ll save the file with Nano. That’s pretty easy. To save this new resolv.conf file with nano, you just press CTRL + X, then Y, and then ENTER.

Next, you’ll need to reboot. I know this will pain some of you, but I’ve yet to have a sure way to effect these changes other than rebooting. So, you’ve gotta do that. Try this command:

Now that you’ve managed to change DNS servers, you should be able to browse around much as you normally would. Remember, the people in charge of the DNS servers are the ones that decide where you go when you enter an address into the address bar and smash that enter button.

Be sure to use a company you trust to provide those services and be sure to verify your internet is still working properly. If it’s not working, you can remove the file and reboot or you can edit it again and try rebooting again. It shouldn’t be a problem in reality, this isn’t anything all that complicated.

Closure:

So, there you have it. It’s yet another article. This time around we discussed how to change DNS servers – along with some reasons as to why you might want to. If you have a spare bit of hardware kicking about, you can make your own DNS server and point to that with the internal addresses you’d be using. It’s nothing too painful and I think even beginning Linux users can follow along easily enough.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Show A Specific Networking Interface

Today, I’m just going to write about a simple task, how to show a specific networking interface. This seems like a good short article.  It won’t be too complicated and it’s suitable for a beginner. Read on, if you are interested in learning how to get the information for just a specific networking interface.

It’s also suitable for most people, as most people only need information from a single, specific networking interface. Most folks reading this site are home users of Linux and it’s quite likely that they’re only connecting over one network interface, be it ethernet or wifi. Frequently, you only need to show a specific networking interface when gathering information from the terminal.

If you’re still using ‘ifconfig’ you can close this tab immediately. The tool is deprecated and we’ll just be using the ‘ip’ command. Odds are good that your distro has already moved away and is using the ip command. If your distro hasn’t done so, it should be noted that the process of deprecating ‘net-tools’ (from which you get ifconfig) started in like 2001. You may still have the legacy tool, but we won’t be covering it.

Anyhow…

That’s a long intro for something this short…

Show A Specific Networking Interface:

This is yet another article that requires an open terminal. So, crack open your favorite terminal. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open.

With your terminal open, you can run the following command:

You can even run:

Or, you can get that information for a specific networking interface. To do so, we just use the first command, like so:

For example, if your NIC is called ‘eth0’, the command would look like this:

The output from that command will be just the information about that specific networking interface. You won’t have the clutter of the first two commands listed and it will only show the device you specify. If you’ve only got one network interface in use, you can just store the final command in your memory for when you need to check some of your networking information.

Closure:

See? I told you that it’d be quick and easy. Not all of these articles need to be long and complicated. Besides, my 2-year anniversary is coming up, meaning a short and simple article is a good thing. I don’t want to burn out or anything, not at this stage of the game.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Another Way To Find A Website’s IP Address

Today’s article will just be a fun one, where we cover yet another way to find a website’s IP address. It’s mostly for fun but it’ll also introduce you to another tool for your terminal-toolbox. After all, there’s almost always more than one way to do things in Linux, including finding a website’s IP address.

So, today we’ll be using a tool I don’t think I’ve covered before. While we have done the website IP address thing before, I don’t see the ‘nslookup’ tool anywhere in the site’s history. We might as well, as I could use a quick and easy article today, as I’ve been busy making a delicious ham.

Odds are good that you have nslookup installed by default. If you don’t, it’ll be easy enough to install with your package manager. If you check the man page, you’ll find the tool describes itself as:

nslookup – query Internet name servers interactively

And, yeah, that’s what we’ll do with nslookup. We will use it to do what it’s designed to do. We do that often around here and, of course, we’ll be doing all this in the terminal. I’m sure there’s some GUI tool you could use, but every Linux distro that I know of comes with a terminal. It just makes good sense for most articles!

Well, that’s enough blathering about what you’re going to read…

Find A Website’s IP Address:

As the intro mentioned, we’ll be doing this in the terminal. So… Open a terminal of your choosing. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T.

With your terminal now open, the syntax is simple:

You’ll often get more than one IP address in the answer, but that’s because sites will often respond on more than one IP address. For example (and considering that I’m behind a CDN), this site would look like this:

it's easy to find a website's IP address
See? It’ll answer on an IPv4 or an IPv6 address at this time. Pretty easy, huh?

Go ahead and try using nslookup to find the IP addresses of your favorite sites. There’s no harm in doing so and it can be a useful bit of information – though usually, that’s more useful for the site’s admin. Still, it can be a handy bit of information.

Closure:

There! See? Another quick and easy article. This time, we’ve shown another way to find a website’s IP address. It’s not complicated and the output is easy enough to process. Enjoy the tool and have fun with it.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

A Couple More Ways To Find Your Network Interfaces

Today’s article is mostly just for fun, as we examine a couple more ways to find your network interfaces! I’ve shown you a variety of ways at this point, but this is Linux. If you just want to have some fun finding your network interfaces, read on – ’cause this article is meant for those who like to travel a different path!

One of the things that make Linux so awesome is the myriad choices we have. There are so many different ways to accomplish the same goal. In fact, we sometimes get defensive about ‘our way’ of accomplishing things. It can make for some amusing (and sometimes a bit heated) discussions. 

Anyhow, I’ve covered this before. I’ve even covered it recently, which is why this is still fresh in my memory. You can start with this article if you want:

How To: Show Your Network Interfaces

Just to touch on it, a network interface is a device that your computer uses to communicate over the network. In most folks’ cases, you’ll locally use your network interface to connect to the Internet, perhaps first to your router or modem. These networking devices have names.

It’s important to be able to point to a specific networking interface, which is why they have names. If you want to issue commands, you want to send them to the right networking interface. If you want to monitor a connection, you need to know the correct name for the network interface.

So, these network interfaces have names. These names should be unique in your system, meaning you shouldn’t have more than one device per name. The names should not be shared among the devices and each working networking interface should have a name of its own.

If you want to know the network interface names, this article’s for you…

Find Your Network Interfaces Continued:

This article requires an open terminal, like many other articles on this site. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open.

With your terminal now open, we’re going to show you a couple of new ways to find your network interfaces. It’ll be fun!

For starters, and probably one I should have already covered, we’ll use a command we’ve covered here and here. We’ll use the ‘netstat’ command, and the ‘netstat’ command you need to find your network interfaces is simply:

(If you don’t have ‘netstat’ available, install the ‘net-tools’ package from your distro’s repositories. It’s almost certainly available.) The output is nice and clear and will show you the names of your network interfaces.

The next command we’ll use is one we’ve used many times before. It’s just a two-letter command, so trying to search for it (on this site) is neigh on impossible – but you can be certain that we’ve used it before. (We’ve at least covered sorting and formatting the output from the ‘ls’ command.)

Anyhow, the command we’ll use to list the network interfaces is pretty simple, it’s just this simple command:

That ‘ls’ command should spit out a list of your network interfaces all nice and easy. If there’s going to be one command that’ll work on any system, it might be this one.

Speaking of which, as this is Linux, there are all sorts of ways to accomplish goals. Because of this, that also means they’ll not always work on every system. You may need to try multiple commands to get the output you’re after – but both of today’s commands should result in you getting the names of your network interfaces (even if you have to install ‘net-tools’ to do so).

Closure:

There you have it, another easy article. Ugh… I do wish I was feeling a bit more up to snuff. Meh… At least I’m writing and writing this sort of stuff. In this case, it’s another article that’ll show you how to find your network interfaces. It’s information worth having. They’re tools that will go well in your growing toolkit of Linux tools.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Subscribe To Our Newsletter
Get notified when new articles are published! It's free and I won't send you any spam.
Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.