Update the system
#apt update && apt upgrade -y
Modify SSH port (Optional), Change port number 22, for example to 3000
#sed -i "s/#Port 22/Port 3000/g" /etc/ssh/sshd_config #systemctl restart sshd.service
Debian 8: open the /etc/ssh/sshd_config, change port 22 to 3000
#vim /etc/ssh/sshd_config
Update IPTables rules, change SSH port on /etc/iptables.up.rules config
#/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP #/usr/sbin/iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
Save the updated IPTables rules to a file for persistence purposes:
#/usr/sbin/iptables-save > /etc/iptables.up.rules #touch /etc/network/if-pre-up.d/iptables #chmod +x /etc/network/if-pre-up.d/iptables #echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables #echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables
Debian 10 IPtables persistent make your iptables rules persistent install iptables-persistent package:
#apt-get install iptables-persistent
Debian 10 IPtables Save to update iptables with new rules use IPtables Save
#iptables-save > /etc/iptables/rules.v4 #ip6tables-save > /etc/iptables/rules.v6
If UFW please follow command belows;
#sudo ufw allow 3000/tcp #sudo ufw status Status: active To Action From -- ------ ---- 3000/tcp ALLOW Anywhere 3000/tcp (v6) ALLOW Anywhere (v6)
Removing UFW port 22 Firewall Rule by Checking UFW status with the parameter numbered. This allows you to select a rule by entry number.
#sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] Apache DENY IN Anywhere [ 2] 22 ALLOW IN Anywhere (out) Delete the rules by the numbers in square brackets[] #sudo ufw delete 2
Install and configure fail2ban to protect SSH
#apt install fail2ban -y #systemctl status fail2ban
Let’s see how did fail2ban alter iptables rules:
#$/usr/sbin/iptables -L -n -v
There is a new chain f2b-sshd in iptables config that is referenced in the INPUT chain rule:
Chain INPUT (policy ACCEPT 777 packets, 80681 bytes) pkts bytes target prot opt in out source destination 1250 93157 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 3000 (... omitted for brevity ...) Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 1223 90505 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
fail2ban package contains a tool called fail2ban-client. It allows you to check the status of the service and interact with it (e.g., it lets you manually ban and unban IP addresses, enable and disable jails, etc.)
See which jails are active:
#fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
Check the statistics for sshd jail:
#fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.33.1
192.168.33.1 IP address is banned from accessing SSH server. fail2ban does this by adding an entry in f2b-sshd iptables chain:
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
12 696 REJECT all -- * * 192.168.33.1 0.0.0.0/0 reject-with icmp-port-unreachable
1279 97855 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Configuring fail2ban
The default Fail2ban filter settings will be stored in /etc/fail2ban/jail.conf file and the /etc/fail2ban/jail.d/defaults-debian.conf file
Keep in mind that you should not make any changes to that file as it might be overwritten during fail2ban upgrade.
In case you need to adjust the configuration, create /etc/fail2ban/jail.local config file with the desired changes. Please not to add same values, but only the values you want to customize.
If you want to change the default ban duration (bantime) and the number of failed attempts (maxretry), add the new config for example /etc/fail2ban/jail.local
#vim /etc/fail2ban/jail.local
Insert code below
[sshd] #Set ban time to 1 hours bantime = 3600 #Decrease the number of failed login attempts before banning to 3 maxretry=3
Restart the service:
#systemctl restart fail2ban
Source :
https://www.vultr.com/docs/how-to-setup-fail2ban-on-debian-9-stretch
https://blog.swmansion.com/limiting-failed-ssh-login-attempts-with-fail2ban-7da15a2313b