In our previously published guide, we used a bash script to limit SSH access by countries to save ourselves from SSH Brute Force attack. But, Instead of Using Bash Script to Restrict SSH by Countries Based on GeoIP, We Can Create Fail2ban GeoIP Action Script to Block SSH by Country. We have not said this one as first method because the usage way for these two methods are quite different from OSI model. The bash script is great way to reduce load but fail2ban has the advantages of log, ban from iptables. We can not give warranty about effectiveness as it is not tested by anyone else.
To Do Before Following the Steps To Configure Fail2ban GeoIP Action Script to Block SSH by Country
First and most important is to have fail2ban installed and configured properly, like we have described in iptables basics chapter 2 supplying configurations. Here is that guide’s custom jail.conf config on GitHub as Gist.
It is probably better to run fail2ban for few days to month to have an experience of usage. It is practical to read our previous guide where we used a bash script to limit SSH access by countries. That guide has mentioned practical needs like servers from other countries to test yourself. We did more works with fail2ban with WordPress on iptables basics chapter 3. From that guide we worked on filter.d directory, which is located (in case of Ubuntu server, CentOS server) :
1 | /etc/fail2ban/filter.d |
SSH to your server and cd to that location. Do a ls. You’ll see lot of action scripts. Here is fail2ban official website for documentation :
1 | http://www.fail2ban.org |
---
If You Followed Our Previous Guide To Configure SSH With Bash Script to Block SSH by Country
In case you followed our previous guide, then you need to do some extra steps.
First open /etc/hosts.deny and comment out or remove the line :
1 | sshd: ALL |
Save the file. Now open /etc/hosts.allow and comment out or remove the line :
1 | sshd: ALL: aclexec /usr/local/bin/sshfilter.sh %a |
Save the file. Restart SSH services :
1 | service ssh restart |
Login from different servers to check. These steps will make sure that you have reversed the old configuration to default.
Steps To Configure Fail2ban GeoIP Action Script to Block SSH by Country
Technically you already have GeoIP installed :
1 | apt-get install geoip-bin geoip-database |
We actually use the file sshd.conf file located at /etc/fail2ban/filter.d. There is another directory named /etc/fail2ban/action.d. You can visually inspect the files at GitHub repo :
1 | https://github.com/fail2ban/fail2ban/tree/master/config |
In this location on server :
1 | /etc/fail2ban/action.d |
there is a file named iptables-multiport.conf which is this one in GitHub repo :
1 | https://github.com/fail2ban/fail2ban/blob/master/config/action.d/iptables-multiport.conf |
# Option: action ban starts at Line 35. We can create a new modified file with custom action ban and action unban. Which will look like this file on GitHub. We can wget that file on /etc/fail2ban/action.d location on our server :
1 2 | cd /etc/fail2ban/action.d wget https://raw.githubusercontent.com/AbhishekGhosh/fail2ban-geo/master/action.d/geo-iptables-multiport.conf |
By default we enabled only India (IN) and US. You should change it.
We will add only one action named banaction = geo-iptables-multiport on default section of /etc/fail2ban/jail.local :
1 2 3 4 5 6 7 8 9 10 | ... [default] enabled = true port = ssh filter = sshd banaction = geo-iptables-multiport logpath = /var/log/auth.log maxretry = 3 .. |
In our fail2ban guides we configured /etc/fail2ban/jail.conf and copied it to /etc/fail2ban/jail.local`. Here we will edit only the local one :
1 2 3 4 5 | # edit nano /etc/fail2ban/jail.local # paste/type the config & save # restart fail2bain sudo service fail2ban restart |
We can check the status :
1 2 3 4 | # check fail2ban service sudo service fail2ban status # check whether we did correct or not sudo fail2ban-client status |
