TL;DR
Someone is trying to guess passwords for your AWS t2.micro instance via SSH. We’ll harden security by disabling password logins, using key-based authentication, and limiting login attempts with fail2ban.
Steps
- Connect to Your Instance
- Update Your System
- Disable Password Authentication
- Restart SSH Service
- Test Key-Based Authentication
- Install Fail2ban
- Configure Fail2ban (SSH Jail)
enabled = trueport = ssh(or your custom SSH port)logpath = %(sshd_log)sbantime = 600(Ban for 10 minutes. Adjust as needed.)maxretry = 3(Ban after 3 failed attempts. Adjust as needed.)- Restart Fail2ban Service
- Check Fail2ban Status
- Optional: Change Default SSH Port
Use SSH to connect to your AWS t2.micro instance as the user you normally use (e.g., ec2-user, ubuntu). You’ll need your private key file (.pem) and the public IP address of the instance.
ssh -i /path/to/your/key.pem ec2-user@your_public_ipEnsure your system is up to date before making changes:
sudo apt update && sudo apt upgrade -y (If using a different Linux distribution, use the appropriate package manager commands – e.g., yum update for CentOS/RHEL).
Edit the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_configFind the line PasswordAuthentication yes and change it to PasswordAuthentication no. Also, ensure that ChallengeResponseAuthentication no is set.
Save the file (Ctrl+X, Y, Enter).
Restart the SSH service for the changes to take effect:
sudo systemctl restart sshdOpen a new terminal window. Try connecting using your private key. This confirms password authentication is disabled and key-based login works.
ssh -i /path/to/your/key.pem ec2-user@your_public_ipFail2ban monitors log files for failed login attempts and automatically blocks the offending IP addresses.
sudo apt install fail2ban -yCopy the default SSH jail configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit /etc/fail2ban/jail.local using a text editor (e.g., nano):
sudo nano /etc/fail2ban/jail.localUnder the [sshd] section, ensure these settings are present and configured:
Save the file.
Restart Fail2ban to apply the changes:
sudo systemctl restart fail2banVerify that Fail2ban is running and monitoring SSH logs:
sudo fail2ban-client status sshdThis will show you the number of currently banned IPs.
Changing the default port (22) can reduce automated attacks. Edit /etc/ssh/sshd_config and change the Port 22 line to a different, non-standard port number (e.g., Port 2222). Remember to update your security group rules in AWS to allow traffic on the new port.