How to set up a ip-ban for SSH and RDP

Posted on In Views: Word count in article: 3k Reading time ≈ 3 mins.

What is ip ban?

Ip ban is a security tragedy, which ban ip from which there are too many failed login tried.

I usually set a ban time as forever, so the below is demonstrate as a forever ban. You can set your own ban time depends on your preference.

For SSH

Ubuntu

1
2
3
4
apt update
apt install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # we write our config in jail.local in case of losing our config when upgrading.
vim /etc/fail2ban/jail.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = -1

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
1
service fail2ban restart

Debian

1
2
3
4
apt update
apt install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # we write our config in jail.local in case of losing our config when upgrading.
vim /etc/fail2ban/jail.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = -1

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = systemd
1
service fail2ban restart

Alpine

1
2
3
4
apk update
apk add fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # we write our config in jail.local in case of losing our config when upgrading.
vim /etc/fail2ban/jail.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = -1

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = /var/log/messages
backend = %(sshd_backend)s
1
service fail2ban restart

For RDP

Fail2ban is only for Linux system. For RDP, we need to use another open source software called IPBan.

Please following the official wiki: https://github.com/DigitalRuby/IPBan

The config file path is C:\Program Files\IPBan\ipban.config.

Below is to set ban time as forever.

Screenshot 2023-11-05 at 21.28.04