Some Simple Security Chores

Published: 2023-12-22 8:28 AM

Category: Self Host | Tags: ssh, network security, linux, server, hosting

I've self-hosted my website for years, first with Bluehost and then many happy years with Reclaim Hosting. In early 2023 I moved to a VPS with Linode to give myself some more flexibility in what I can make and run on the web. It's more hands-on and today I took a few minutes to update some firewall rules.

I glance at the "failed logins" log anytime I SSH into my server, but I rarely take time to think about what it actually means. Today is December 22. My last login was on December 19. In that time, there were over 1000 login attempts. It's not an enormous number (relative to other, more popular websites) but that's still a lot of tries to get in. I use a strong password and I have keys set up, but still.

I have fail2ban to help lock people out periodically. I've got pretty strict rules in place because I'm the only one logging in or out of this site. I had never gone through the logs, though, to see what was actually being captured. I found a fantastic, step by step guide on The Art of Web detailing how to analyze and interpret fail2ban logs and how to then set up IP address firewalll rules for the most persistent attackers.

I went through the guide, step by step, and identified which IP ranges were the most prevalent in the banned address logs. Then, using The Art of Web's subnet calculator, I was able to get an IP address for a range of IPs which were the most frequently used addresses.

Lastly, I added that range of addresses to iptables to reject any request from that range outright. No more jail time, it's a straight up ban.

The guide was extremely easy to follow and I'm planning on looking this over every couple of weeks as part of my regular update schedule. There are also some suggestions in the post for logging daily stats, and that may come into my routine as well.