Prevent Brute-Force SSH Attacks With fail2ban

Today’s article is one I could have already written and it’s about how to prevent brute-force SSH attacks with fail2ban. The reason I haven’t written it yet is because it either has too much substance or too little substance. I think I can strike a middle-of-the-road here and write an article with just enough substance.

See, and we’ll get to this later in the article, most folks won’t need to do a whole lot more than just install it. You can configure it a great deal, but the defaults are just fine for most people. On top of that, you can even make fail2ban send you email reports but we won’t be covering that in this article. Instead, we’ll largely have directions for installing fail2ban so that you can “prevent” brute-force attacks via SSH. I put the “prevent” in quotes because a diligent attacker could time things, use varied IP addresses, and try brute forcing your login credentials.

I think we need to start at the beginning.

What is SSH:

SSH stands for “Secure Shell” and is a tool to connect to a server remotely. If you check the man page for SSH it is defined as:

ssh — OpenSSH remote login client

This allows you to connect two computers over the terminal. It also comes with SFTP so that you can securely transfer files. You can do a whole lot more with SSH, including forwarding the graphical environment.

Here are a few SSH articles:

Install SSH to Remotely Control Your Linux Computers
Check Your SSH Server Configuration
Show Failed SSH Login Attempts

Then, there are a whole lot more SSH articles. I love SSH, so there have been quite a few articles on the subject. It’s a tool that I use quite often. I encourage familiarity with SSH as it’s sometimes a useful tool to effect a repair on a computer that is otherwise unresponsive to local inputs.

Servers are typically managed with SSH. As you can imagine, servers are a juicy target for malicious people. This means that SSH is a means with which malicious people will use to attack servers. One of the ways they do that is with ‘brute-force’.

What is Brute-Force:

There are many ways that one can try brute-forcing something. The name is as it implies. Rather than knowing the login credentials, they try to brute force them. That means they’ll try one combination of username and password and then keep trying various combinations until they eventually crack the system and figure out the login information.

That is the goal. Their goal is to find the login credentials. Instead of finesse, they use brute force.

This can include a dictionary attack. This can include a progressive attack where they start at the letter a, then try aa, then try aaa, etc. until they find the login credentials. They may also have a list of commonly used usernames and passwords and will systemically work their way through this until they find their way in.

This is one of many attacks and a modern computer can make many attempts in a short amount of time. Add to this modern bandwidth speeds and you can get thousands of attacks in just a short amount of time. It goes even faster if they know one part of the data, such as the username of a privileged account.

Enter fail2ban:

If you’re using a major distro, you have fail2ban available, one way or another. It’s usually easily installed and in your default repositories. When you do install it, you can check the man page. However, fail2ban is described as:

fail2ban – a set of server and client programs to limit brute force authentication attempts.

So, as you can see, fail2ban is the correct tool for the job. After all, and as the headline suggests, we’re trying to prevent brute-force SSH attacks with fail2ban.

Installing fail2ban:

We’ll be using a terminal to install fail2ban. You may also need to remotely connect to the server on which you want to install fail2ban. That too will require a terminal (or some SSH application like PuTTY). Simply press CTRL + ALT and your default terminal should open. If not, you can open a terminal from your application menu.

With your terminal now open, we can install fail2ban.

Debian/Ubuntu/etc:

RHEL/CentOS/etc:

Fedora with dnf:

I believe those are correct. That’s what is in my notes. If they’re not correct, please leave a comment and I’ll update the article. Other distros will have fail2ban available, just search your default repositories and you’ll likely find fail2ban available for installation.

Using fail2ban:

Now that you’ve installed fail2ban, you’re pretty much done. The default configuration is pretty much all you need – but you can customize it. There are a bunch of options available, so you can configure fail2ban in many ways. There are so many ways that we won’t be covering them. They’re reasonably obvious.

Once installed, fail2ban should start automatically. If it doesn’t, run this command to start it:

Next, we’ll make sure to enable fail2ban to start at boot time. That’s this command:

I assume that you’ll want to at least examine the configuration files and I’ll get you started with that. The first thing you want to do is cd to the right directory.

If you run ls you’ll see that there’s a file called jail.conf and you do not want to edit this file itself. Instead, fail2ban will look for configurations in a file called jail.local first. To make that file, you run the following command:

sudo cp jail.conf jail.local 

Next, you might want to make a backup of that jail.local file. 

You can now use Nano to edit your fail2ban configurations:

As you can now see, there are a bunch of options available. They’re far too many to explain here but they’re fairly well described. If any of the options confuse you, you can get help on the man page (man fail2ban ).

After you’ve set fail2ban’s configuration files the way you want them, you’ll need to restart the service for the changes to take effect. That’s done like this:

If you screw up the configuration, just remove the jail.local with this command:

Then restore from your backup like this:

Then, of course, restart the service with this command:

There are a lot of options with this application. You can explore them at your leisure, though I find the defaults to be adequate for most of my needs. As mentioned above, you can install sendmail and have the system send you notification emails. There are many other options as well.

Closure:

Like I said in the beginning, there’s a lot of substance with fail2ban. There’s a lot to it. If I added more to the article, it’d end up quite long. I may write a bit more about this application, but I don’t want to end up with a 2500-word article that will make your eyes gloss over. That doesn’t do me any good and it doesn’t do most people any good. Most folks are going to be fine with the basics before they explore the configuration options on their own.

If you do have a server (or even a personal computer) that’s running SSH, it’s worth your time to install fail2ban. If there’s any chance that someone can try to brute-force your system, they will.

Some bots crawl the ‘net looking for servers that respond on the default SSH ports. They can and will find you. You can also change the port SSH uses for some added obscurity (but remember that obscurity isn’t really security). So, it’s a good idea to prevent brute-force SSH attacks with fail2ban. Yes, it’s a good idea even for us ‘little guys’ who aren’t running servers with valuable information on them.  

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Smash a button!
[Total: 6 Average: 5]

Make Passwords In The Linux Terminal

Today’s article should be fairly simple and is about something we all use because it’s about how to make passwords in the Linux terminal. Assuming my writing chops are up for it, this article should be easy for everyone to follow. I’ll do my best. It might not even be a very long article.

I don’t think I need to explain passwords to any modern computer user. Even mobile users use passwords. The rare people who don’t use this technology will likely still use a PIN for things like their ATMs and credit cards. A PIN is just a numeric password.

I think it’s safe to say that we all know what a password is and why we use one. I’m not sure we all understand how to create good passwords, but we all use them. Perhaps this xkcd comic will amuse you:

xkcd's thoughts on passwords
Hopefully, this works as a hotlink, per xkcd’s request. I also can’t resize it. Ah well…

I have written about passwords in the past. One of the first articles on this site was about generating complex passwords. Here’s a link:

How To: Generate Sufficiently Complex Passwords In The Terminal

There isn’t much to add about passwords. It’s safe to assume we’re on the same page and that we’ve all used many passwords in our lives. I guess it’s then time to move along to the software we’ll be using to generate passwords in the Linux terminal.

Installing makepasswd:

In a previous article, we made complex passwords (with some degree of randomness) in the Linux terminal with a tool known as ‘pwgen’. You’ll find that pwgen is perfectly adequate and does a fine job at creating unique passwords in the terminal.

This time around, as we accomplish the very same task, we’ll be using a tool known as makepasswd. When you install makepasswd you’ll see that it has some small dependencies involving encryption and randomness. That makes some sense when you see how makepasswd is described on the man page.

makepasswd – generate and/or encrypt passwords

We’ll be doing that first bit – that is generating passwords.

You will need an open terminal to follow along in this next section. You can also use your graphical software installer, assuming you have one. To open your terminal, you can usually just press CTRL + ALT + T

With your terminal now open, choose the right command for your distro:

Debian/Ubuntu/etc:

OpenSUSE/SUSE/etc:

Arch/Manjaro/etc:

RHEL/CentOS/etc:

You’ll find that makepasswd is available for other distros, but I’m not sure of the installation commands and don’t want to steer you wrong. As it stands, I’m pulling these from my notes and haven’t tested them to ensure the commands are current. If they’re not current, please leave a comment so that I can update them accordingly.

Now that you have makepasswd installed…

Make Passwords In The Linux Terminal:

If you used a GUI tool to install makepasswd, or if you closed the terminal after installing makepasswd, you’ll need to open a terminal. Fortunately, I told you how to do that in the previous section. If you want to use makepasswd to make passwords in the Linux terminal, you will of course need an open Linux terminal.

With the terminal now open, you can check the man page for more information about the makepasswd application. That’s done like so:

The application is pretty simple, at least for our needs. If you just want to generate a password that’s 12 characters long, you’d run this command:

An example output might be something like this:

If you want to use certain characters, you can use the --string flag. So, if you wanted to generate a 12 character password with just numbers, you’d use a command that looks like this:

An example output might be something like this:

So, I suppose, you could even use this as a tool to generate a pseudorandom PIN for your debit card. 

If you want to generate a list of passwords so that you can pick the one you like from the list, you can do that as well. That command would look a little bit like the following command:

For some reason, it seems to only want to output a maximum number of characters in that command and the maximum number is 10. Do not ask me why, but the option is there and the output of that command might look a bit like this:

You can do quite a bit more with the makepasswd application. As mentioned above, check the man page. You can seed your passwords, you can encrypt them, get the hashed password value, and more. You could even take the above command and output it to a text file called passwords.txt. You’d do that like this:

As you can see in that command, I’ve included the --maxchars flag. You can set both the minimum number of characters and the maximum number of characters with the two flags used in the above two commands.

See? You’ll find makepasswd to be a handy way to make passwords in the Linux terminal. There are all sorts of ways to do this. This is just one more way.

Closure:

I wasn’t sure what I’d write when I sat down to write this article. I started it much earlier in the day than I usually would and flipped through all sorts of text files to find an interesting article to write. The first two articles that piqued my writer’s interest were topics I’d previously covered. I eventually settled on makepasswd. After all, you never know when you will want to make passwords in the Linux terminal. It could happen!

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Smash a button!
[Total: 2 Average: 5]

Some Opinions (News?) About Purism.

Today’s article isn’t like a regular article, it’s just some news about Purism. There’s not going to be much written about this company by me, as I’m not wanting to get sued by angry people. I’m mostly going to give you some information and then share a video. With that information, you’ll be free to make your own choices.

Let’s start with the basics…

I have been paying a little bit of attention to Purism for quite some time. I have considered giving them money, but there were already enough complaints that I never felt comfortable doing that.

Purism SPC, the company, is located in San Francisco, California. They have been around since 2014 and they sell products that are based on ‘opensource’, hardware such as laptops and phones.

Their site can be found at https://puri.sm/

Purism claim to be interested in protecting your privacy and liberties, by using open-source software. There are lots of thoughts about this.

I have seen a few people mention this company lately, as though they were interested in their products. I feel an obligation to inform, thus this news article about Purism.

I will not be offering my opinions on the matter. As much as free speech exists in my country, I don’t really feel like spending money on legal fees and I don’t want to deal with a cease-and-desist notice that tells me to take the site down.

What I am going to do is share a video with you.

Warning, this video uses adult language – but provides sources for their claims. I would suggest watching this video if you’re interested in Purism products.

Now, you take that information and do with it what you will. You can view a bunch of old/current complaints at the Purism Subreddit. There are also a number of topics over on HackerNews but I don’t have links to those. I’m not trying to do an expose, I’m trying to help people make wise choices. This means doing your research – and real research.

Closure:

My opinions are my own, though I’m sure it’s okay to say that I do not now own any Purism products and I do not intend to buy any in the near future. This is simply one of many videos, articles, and comment chains that finally made me realize that I should probably share this with others – as we don’t all dive deep into things prior to making a purchase decision.

What you do with this information is up to you.

I will further suggest that any comments on this matter should be left here. It’s well known that I share my articles elsewhere but I don’t know if Purism is lawsuit happy and I don’t think I’d like to put other sites at risk. I’m sure it’s fine, but we’ll see…

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Smash a button!
[Total: 5 Average: 5]

Linux Tips: A Comprehensive Guide for Optimizing Your System

Welcome to Linux Tips, your ultimate resource for unlocking the full potential of your Linux system. Whether you are a seasoned Linux user or a beginner exploring the world of open-source operating systems, this comprehensive guide will provide you with valuable insights and tips to optimize your Linux experience. From boosting performance to enhancing security, we’ve got you covered. Let’s dive in!

Just for fun, this article was written by an AI with the prompt being:

“Write an article for Linux-Tips.us that is optimized for Google’s search engine results.”

Enhance Performance:

Optimize Startup: Speed up your system boot time by disabling unnecessary services and applications that launch at startup. Use tools like systemd-analyze to identify bottlenecks and systemd commands to manage services effectively.

Monitor System Resources: Keep track of your system’s resource usage with tools like htop and top. Identify resource-intensive processes and consider optimizing or terminating them to free up valuable resources.

Utilize Swap Space: Configure and optimize your swap space to prevent system slowdowns. Tune the swappiness parameter to strike a balance between using RAM and swap effectively.

Improve Security:

Keep Software Up to Date: Regularly update your Linux distribution, applications, and packages to ensure you have the latest security patches and bug fixes. Utilize package managers like apt or dnf to simplify the update process.

Enable the Firewall: Activate the built-in firewall (e.g., iptables or nftables) to safeguard your system against unauthorized access. Configure firewall rules to allow only necessary incoming and outgoing connections.

Utilize SSH Key Authentication: Strengthen the security of your SSH connections by using key-based authentication instead of passwords. Generate SSH keys and disable password-based authentication to prevent brute-force attacks.

Boost Productivity:

Master the Command Line: Linux’s command-line interface is a powerful tool for executing tasks efficiently. Familiarize yourself with essential commands like ls, cd, grep, and find to navigate the file system, search for files, and perform various operations.

Utilize Shell Scripting: Automate repetitive tasks by writing shell scripts. Bash, the default Linux shell, allows you to create powerful scripts to streamline your workflow and save time.

Take Advantage of Package Managers: Leverage package managers like apt, dnf, or yum to install, update, and remove software effortlessly. Explore repositories and learn package management commands to manage your software ecosystem effectively.

Customize Your Environment:

Choose the Right Desktop Environment: Linux offers a variety of desktop environments, each with its own look and feel. Experiment with different options like GNOME, KDE, or Xfce to find the one that suits your preferences and maximizes your productivity.

Tweak Your Window Manager: Customize your window manager settings to enhance your workflow. Configure keyboard shortcuts, window behavior, and appearance options to create a personalized Linux experience.

Explore Themes and Icons: Customize the visual aesthetics of your Linux system by applying themes and icon packs. Tools like GNOME Tweaks or KDE System Settings allow you to easily switch between different themes and icons.

Conclusion:

By implementing the Linux tips outlined in this comprehensive guide, you can optimize your system’s performance, enhance security, and boost productivity. Remember to keep your system up to date, monitor resource usage, and leverage the power of the command line. With Linux’s flexibility and customization options, you can create an environment that truly suits your needs. Embrace the open-source philosophy and unlock the full potential of your Linux-based machine today!

The Real Closure:

So, I just wanted to share this with you. We worry about AI, but do you think this is an appropriate article for this site? Better still, do you think this is optimized for Google? It’s none of those things. You can tell by the wording that it wasn’t written by a human. Even better, you can tell right away that it wasn’t written by me.

But, let’s see how well this article does in Google’s search results. I’ll report the results (if they’re worth reporting) and I suspect this article won’t rank all that well – if at all. I doubt it shows up in the top ten results for any keywords. If it does, I’ll let you know. I pay attention to that sort of stuff.

Of course, you could say that it’s contaminated by the actual real closure, but the whole article is failing the formula I’ve been using since my earliest articles. It is what it is and I’ll say that it’s ‘close enough for government work’ and we’ll see how well it ends up doing in Google’s search results. It barely qualifies as an article for this site. My articles are very different – and, well, I’d say they’re much better.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Smash a button!
[Total: 3 Average: 5]

Change The ‘sudo’ Password Timeout

Today’s article is going to be a pretty basic article about sudo, where we learn how to change the sudo password timeout. It’s pretty easy to change the sudo password timeout value, and reasonably safe to do so if you use visudo. So, with that in mind, read on!

When you use sudo you’re given a grace period. During that time, you can use sudo again without being asked to type your password again. This is an arbitrary value, typically 15 minutes (I think), and you can customize that value for your particular environment. It’s not difficult.

This is something people may want to change if they’re slow, doing a lot with sudo, or have good physical security. This is also something that someone might want to change for the opposite reason. Some people may want to decrease the length of time that they have with sudo because they work in a shared environment. Who knows? It’s your computer, you can do what you want!

So, what is sudo? It’s how you temporarily use elevated permissions. In fact, I wrote a whole article on this subject, which you can read if you’re so inclined – and I’d suggest doing so if you’re new to Linux:

So, What Is ‘sudo’ Anyhow?

Well then, I mentioned another application. I mentioned ‘visudo’ above.

This may come as a surprise, but I actually wrote an article about visudo! You can read that as well, especially if you’re new to Linux:

Use visudo To Edit The sudoers File

Huh… It’s almost as if I’ve been waiting to write this article for a while and that I took the time to write articles that explain all these things. For a brief moment, one might be fooled into thinking I am good at preparing things. Little do you know… It’d be far more accurate to just say that I’ve written a bunch of articles already. I’d prefer it if you thought it was the former, but there’s definitely a touch of the latter.

Change The sudo Password Timeout:

If you clicked on either of the two links above, you’d know that those tools are used in the terminal. You didn’t click them, did you? Well, you’re going to need an open terminal. In most distros, you can just press CTRL + ALT + T and your default terminal should open. 

With your terminal now open, we’re going to use visudo to edit your sudoers file. In my particular case, we’ll be using Nano. (See? Yet another article you can rely on for more information about Nano!) The command to start banging away on your sudoers file would be simply this:

Now, I can’t say for sure that you’ll be using Nano for this. As you didn’t click the links above, I’ll remind you that visudo uses your default text editor. So, you’ll need to be prepared for that. Your default text editor may be Vim, for example, and you’ll need to know the basics to change your sudo password timeout.

NOTE: If you want, you can change your default text editor. (Did you see that? I did it again!)

Anyhow…

With your sudoers file now open for editing, you just enter the following on a new line:

As far as I can tell, most distros default to 15 minutes. So, you can use sudo and then you won’t be asked for the password again for the next fifteen minutes. In the above, you replace the obvious with the obvious. If you wanted 10 minutes leeway without retyping the password, you’d use this command:

If you wanted an hour’s worth of leeway without typing your sudo password again, then the command would just be this:

See? It’s not very complicated at all.

If you want to be fancy, you could include a comment. A comment starts with an # symbol and is thus ignored by the system. You might want to enter something like this:

By adding a comment, you’ll be reminded of what changes you’ve made from the default configuration. This is generally a good idea, especially if you’re going to heavily modify your system.

As this is Nano, you can finish editing the sudoers file by pressing the CTRL + X, then Y, and then the ENTER button. That will save the changes with Nano. If you’re not using Nano, you’ll need to refer to the manual (unless you already know how to save an edited file).

Closure:

And there you go! You can now change your sudo password timeout value to whatever it is you desire, assuming it’s whole minutes. I do not believe it works with fractions of minutes. You shouldn’t need to reboot or anything. It should take effect immediately and be the new timeout value the very next time you use a command that starts with sudo.

Of course, this comes with some security considerations. If this is a public kiosk, you’d have to be a fool to make this longer. You’d have to be a fool to have sudo access to begin with! That’s why they make guest accounts!

But, if you’re home alone and the neighbors aren’t going to sneak in to steal your wifi password, you’re probably good to go. Heck, if you are daring, you can use sudo without a password. I don’t recommend that, but you can… 

Also, this article contains a whole lot of links to other articles. Google will be pleased! I think it speaks to how many articles I’ve already written more than any foresight on my part.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Smash a button!
[Total: 1 Average: 5]
Subscribe To Our Newsletter
Get notified when new articles are published! It's free and I won't send you any spam.
Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.