Fail2ban Block SSH Public Key Connection Attempt

You want to configure for Fail2ban to block SSH public key connection attempts using a custom filter and jail configuration. This setup is designed to identify and block IP addresses that attempt to make SSH key-based connections and fail authentication multiple times. Let’s break down your configuration step by step.

Jail Configuration (jail.local)

In your jail.local configuration, you have defined a custom jail section for SSH key-based authentication:

1
2
3
4
5
6
[ssh-key]
enabled  = true
port     = ssh
filter   = sshd-key
logpath  = /var/log/auth.log
maxretry = 3
  • [ssh-key]: This is the name of your custom jail section. It allows you to specify different configurations for different services or purposes.

  • enabled = true: This indicates that the jail is enabled and will be active.

  • port = ssh: Specifies the port or service that Fail2ban should monitor. In this case, it’s set to SSH, which is commonly used for remote shell access.

  • filter = sshd-key: Specifies the filter to use for this jail. The filter is defined in the filter.d directory (sshd-key).

  • logpath = /var/log/auth.log: Defines the path to the log file where Fail2ban will look for SSH authentication attempts. In this case, it’s /var/log/auth.log, which is a typical location for authentication logs on Linux systems.

  • maxretry = 3: Sets the maximum number of authentication failures before an IP address is banned. If an IP address fails authentication three times (maxretry times), Fail2ban will take action.

Custom Filter Configuration (filter.d/sshd-key)

Your custom filter configuration is defined in the filter.d/sshd-key file. Let’s take a closer look at its content:

1
2
3
[Definition]
failregex = sshd(?:\[\d+\])?: Connection closed by <HOST> .*preauth.*\s*$
ignoreregex =
  • [Definition]: This section header defines the filter’s main configuration.

  • failregex: This line contains a regular expression pattern that matches lines in the SSH authentication log (/var/log/auth.log) indicating a failed key-based authentication attempt. It captures the IP address of the host (<HOST>) in the log line.

    • sshd(?:\[\d+\])?: Connection closed by <HOST> .*preauth.*\s*$: This regular expression is used to identify failed key-based authentication attempts in the log file.
  • ignoreregex: This line is currently empty, indicating that there are no patterns to be ignored. You can add patterns here to exclude certain log entries from being processed by Fail2ban.

In summary, your Fail2ban configuration is set up to monitor SSH key-based authentication attempts on port 22 (SSH) and block IP addresses that fail authentication three times or more. It uses a custom filter (sshd-key) to identify failed key-based authentication attempts in the SSH authentication log.

Make sure to test this configuration and monitor Fail2ban’s actions to ensure it works as expected in your specific environment.

0%