After the initial setup of your Raspberry Pi, you can adjust SSH security settings following recommendations on these websites [link1, link2, link3, link4, link5] and YouTube tutorials [video1, video2, video3, video4]. For a general introduction into Linux security, you may find Udemy course by Jason Cannon quite useful.
All remote authentications via SSH are logged to your Raspberry Pi and you can review them by running the following command:
$sudo cat /var/log/auth.log
As the SSH port is now opened on the router, one can immediately start seeing some failed SSH login attempts [link1, link2, link3, link4] and “POSSIBLE BREAK-IN ATTEMPT!” messages in the auth.log file.
Since only RSA keys authentication is being used instead of password authentication, we should be protected against brute force attacks of bots. Nevertheless, you can ban the IP addresses of the originators of such attacks using fail2ban. To install this program enter:
$ sudo apt-get install fail2ban
fail2ban works on SSH only and the default configuration bans the suspicious IP after 6 unsuccessful attempts for 600 seconds. You can check the config file here:
$ sudo nano /etc/fail2ban/jail.conf
This configuration file should be left untouched though. You can customize settings in jail.local file, which will override those in the default jail.conf:
$ sudo nano /etc/fail2ban/jail.local
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log bantime = -1 banaction = iptables-allports findtime = 604800 maxretry = 2
The example above will permanently (-1) ban a suspicious IP address after 2 unsuccessful login attempts. Moreover, it will ban access for this IP on all ports (iptables-allports). Bantime is in seconds (604800 = 7 days, 2678400 = 31 days), permanent ban = -1. Findtime is set to 7 days and it’s the time that the maximum number of retries (maxretry) applies to.
Note that all bans will be cleared upon restarting fail2ban or rebooting the server. So if you get banned yourself, you can just reboot the system. Once you have edited the configuration file, restart fail2ban:
$ sudo service fail2ban restart
In case you are not happy that all bans disappear from iptables after each reboot, you can add the line below into
/etc/fail2ban/action.d/iptables-allports.conf file to the actionstart:
cat /etc/fail2ban/ip.list-<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
and following line to the actionban:
echo '<ip>/24' >> /etc/fail2ban/ip.list-<name>
These commands log the banned IP addresses to the
/etc/fail2ban/ip.list-ssh file and after restart the contents of this file are added to the iptables.
To view banned IP addresses check these files:
$ sudo cat /etc/fail2ban/ip.list-ssh $ cat /var/log/fail2ban.log
Review iptables as numbered lists with the following command:
$ sudo iptables -L -n --line
If you wish to unban any IP, put the number of the actual line of IP address you want to remove:
$ sudo iptables -D fail2ban-ssh 1
In case you decide to go this path, you will need to adjust port-forwarding on your router, ufw/iptables and the respective configuration files (e.g.
jail.local). Also remember to specify the selected port when connecting via ssh:
$ ssh email@example.com -p 31415