Cfrgtkky

Is there a way to automatically block IP address when a user tries to login as any invalid username? I already have:

[ssh]



enabled  = true

port     = ssh

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 3

bantime = 31536000

in /etc/fail2ban/jail.conf

I cannot help you with fail2ban, but I am using denyhosts quite successfully for exactly this thing. You can tune quite a lot parameters and it also have a distributed database where you can send and receive other badhosts.

Here's more detailed howto:

Install denyhosts package (sudo apt-get install denyhosts)

Look at the default configuration in /etc/denyhosts.conf, you might be interested in DENY_TRESHOLD_INVALID, DENY_TRESHOLD_VALID and DENY_TRESHOLD_ROOT options.

As for the sync server it's disabled by default and you will need to enable it by uncommenting SYNC_SERVER option.

It's also not bad to set PURGE_DENY option to 1w or something like that in case you block-out yourself, so the entry will get purge after one week and you will be able to login again.

Why not just deny all root logins entirely over SSH, rather than using Fail2Ban or other stuff? By doing that, and denying the use of the root login, you remove the issue of having to block everyone, because even if they guess the root password, it'll deny them login. Regardless of how many times they try.

In /etc/ssh/sshd_config, find the line containing PermitRootLogin. Edit that with whatever text editor, but make sure you use sudo/gksudo (gksudo only if you're using a GUI text editor). Make that line I mentioned say PermitRootLogin no, then save, and do sudo service ssh restart.

(This answer was written for the incorrectly-stated initial question. This answer will not be modified to match the revised question, because that's beyond my ability to answer. I may delete THIS answer in future)

This is deliberately not supported in fail2ban:

In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?

A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.

I found your question while trying to do the same thing, but now I've changed my mind. Apart from the secrecy benefit, why save an attacker time by cutting them off early?

First, define the filter for invalid users in filter.d/sshd-invaliduser.conf:

[INCLUDES]

before = common.conf



[Definition]

_daemon = sshd



failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port d+)?s*$

ignoreregex = 



[Init]

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

Then enable it in jail.local:

[sshd-invaliduser]

enabled = true

maxretry = 1

port    = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

This works with fail2ban 0.9.6-2 on Debian 9.

You can Enhance your security by enable roundcube section
Roundcube does have captcha plugins available which will mitigate this, but users will complain if they have to type in a captcha to login for mail.

Fail2ban provides an easy solution for this.

First up, we need to add roundcube into /etc/fail2ban/jail.conf

[roundcube]



enabled  = false



port     = http,https



filter   = roundcube



action   = iptables-multiport[name=roundcube, port="http,https"]



logpath  = [YOUR PATH TO ROUNDCUBE HERE]/logs/errors



maxretry = 5



findtime = 600



bantime = 3600

Change [YOUR PATH TO ROUNDCUBE HERE] in the above to your actual roundcube folder

eg /home/roundcube/public_html/logs/errors

Next, we need to create a filter.

Add /etc/fail2ban/filter.d/roundcube.conf

[Definition]



failregex = IMAP Error: Login failed for . from <HOST>(. . in .?/rcube_imap.php on line d+ (S+ S+))?$



ignoreregex =

Now we have the basics in place, we need to test out our filter.
For that, we use fail2ban-regex.

Enjoy