In this tutorial it should be short and sweet but we are going to install fail2ban on our EC2 instance we created in a previous post if you want to revisit this previous post please go here.
Ok what is fail2ban?
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
So that sounds like exactly what we want lets get it installed log into your EC2 with your pem file and run.
sudo yum install fail2ban
Great then installer will run and install fail2ban for you now lets config it some of these options will depend on what port you have set to login via ssh port 22 is pretty standard but we would advice changing it as people can run this command to grab your ports for example.
nmap --top-ports 10 sobytes.com
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-28 13:35 BST
Nmap scan report for sobytes.com (220.127.116.11)
Host is up (0.0093s latency).
rDNS record for 18.104.22.168: server38.interdns.co.uk
PORT STATE SERVICE
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp closed netbios-ssn
443/tcp open https
445/tcp closed microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds
More information on nmap.
You can set the port within your security groups in AWS lets configure fail2ban.
sudo cp jail.conf jail.local
Now there are lots of settings within this file feel free to change and update for your requirements some basic ones are.
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, firstname.lastname@example.org]
logpath = /var/log/secure
maxretry = 5
When you have finished with all your settings don't forget to restart fail2ban.
sudo service fail2ban restart