On a server, especially those directly exposed to the Internet such as web servers, it is very common to receive thousands of authentication attempts. If you check your /var/log/auth.log file, you will attest to this.
Those attempts are based on silly dictionary attacks, which (unfortunately) work in some % of the cases. Are you sure that your password and the passwords of all the users on your system are strong enough to survive such an attack? This is why the usage of SSH Keys is a better alternative than the user/password approach for authentication.
This challenge will cover about some options to minimize those issues:
- Install Fail2Ban
- Change the SSH Port
- Enable SSH Keys instead of username/password
The idea behind Fail2ban is very simple: temporarily or permanently ban an IP that performed multiple undesired actions, such as unsuccessful authentication, access to a restricted area, etc. Originally it was developed to catch illegal SSH login attempts, but later on, it grew up into an easily customizable toolkit for speedy reaction on some events (such as detected failed login attempts) recorded in the log files.
Changing the default SSH port reduces number of such attacks, so for this exercice let's change from 22 to 2222. Remember to open the 2222 port on your NSG.
- Install the package fail2ban
- Validate the configuration file /etc/fail2ban/jail.conf
- Make sure Fail2Ban it's working as expected
- Make changes on SSH default port and setup SSH keys
- Ensure the distribution lists are updated
- Ensure the installation of fail2ban package
- Make sure that Fail2Ban will start automatically during the VM boot
- Ensure Fail2Ban is enabled to protect the SSH service
- Change the SSH default port from 22 to 2222
- Setup SSH keys in order to improve the connection method to the server