Security Monitoring and Connection Management

Security is useless without proper monitoring. This guide covers fail2ban protection, connection optimization, and comprehensive log analysis.

Part 1: Fail2Ban Protection

Fail2ban monitors log files and automatically blocks IP addresses that show malicious behavior.

Install Fail2Ban

# Ubuntu/Debian
sudo apt install fail2ban

# RHEL/CentOS
sudo yum install epel-release
sudo yum install fail2ban

Configure Fail2Ban

Create a local configuration file:

sudo nano /etc/fail2ban/jail.local

1
[DEFAULT]
2
# Ban IP for 1 hour after 3 failed attempts within 10 minutes
3
bantime = 3600
4
findtime = 600
5
maxretry = 3
6
destemail = [email protected]
7
sendername = Fail2Ban
8
action = %(action_mwl)s
9

10
[sshd]
11
enabled = true
12
port = 2222  # Match your SSH port
13
filter = sshd
14
logpath = /var/log/auth.log  # Debian/Ubuntu
15
# logpath = /var/log/secure  # RHEL/CentOS
16
maxretry = 3
17
bantime = 3600

Start Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Monitor Fail2Ban

# Check status
sudo fail2ban-client status sshd

# View banned IPs
sudo fail2ban-client get sshd banned

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

Part 2: SSH Connection Management

Create SSH Config for Easy Access

On your local machine, create ~/.ssh/config:

Host production-server
    HostName server_ip
    Port 2222
    User deployer
    IdentityFile ~/.ssh/id_prod_server
    ServerAliveInterval 60
    ServerAliveCountMax 3

Host staging-server
    HostName staging_ip
    Port 2222
    User deployer
    IdentityFile ~/.ssh/id_staging_server
    ProxyJump bastion-host  # Jump through bastion

Now you can connect simply with:

ssh production-server

SSH Agent for Key Management

Load keys into SSH agent to avoid re-entering passphrases:

# Start agent
eval "$(ssh-agent -s)"

# Add keys
ssh-add ~/.ssh/id_prod_server

# List loaded keys
ssh-add -l

Part 3: Monitoring and Logging

Enable Detailed SSH Logging

In /etc/ssh/sshd_config:

LogLevel VERBOSE

Monitor Authentication Logs

# Real-time monitoring (Ubuntu/Debian)
sudo tail -f /var/log/auth.log

# Real-time monitoring (RHEL/CentOS)
sudo tail -f /var/log/secure

# Search for failed attempts
sudo grep "Failed password" /var/log/auth.log | tail -20

# Successful logins
sudo grep "Accepted publickey" /var/log/auth.log | tail -20

Create Monitoring Script

Save this as /usr/local/bin/ssh-monitor.sh:

#!/bin/bash
# SSH Security Monitoring Script

LOG_FILE="/var/log/auth.log"  # Change for RHEL: /var/log/secure
REPORT_FILE="/var/log/ssh-security-report.txt"

echo "SSH Security Report - $(date)" > $REPORT_FILE
echo "================================" >> $REPORT_FILE
echo "" >> $REPORT_FILE

echo "Failed Login Attempts:" >> $REPORT_FILE
grep "Failed password" $LOG_FILE | awk '{print $1, $2, $3, $11}' | sort | uniq -c | sort -nr | head -20 >> $REPORT_FILE
echo "" >> $REPORT_FILE

echo "Successful Logins:" >> $REPORT_FILE
grep "Accepted publickey" $LOG_FILE | awk '{print $1, $2, $3, $9, $11}' | tail -20 >> $REPORT_FILE
echo "" >> $REPORT_FILE

echo "Active SSH Sessions:" >> $REPORT_FILE
who >> $REPORT_FILE
echo "" >> $REPORT_FILE

echo "Current Fail2Ban Bans:" >> $REPORT_FILE
fail2ban-client status sshd 2>/dev/null >> $REPORT_FILE

cat $REPORT_FILE

Make it executable and run daily:

sudo chmod +x /usr/local/bin/ssh-monitor.sh

# Add to crontab
echo "0 9 * * * /usr/local/bin/ssh-monitor.sh | mail -s 'SSH Security Report' [email protected]" | sudo crontab -

Next Steps

With monitoring in place, review the Troubleshooting guide for common issues, compliance requirements, and ongoing maintenance best practices.