But as I have to manage the server myself, I’ve been keeping an eye on the logs, and I found loads of attempts to connect over SSH. If anyone got through that way, they could potentially get full control of my server, which would be a Bad Thing, so I wanted to try to discourage that a bit.
So after a bit of reading, I installed Fail2Ban, which continuously checks the logfiles for connection attempts – you can configure it to only check connections on particular ports. If it sees more connections from a particular IP address than it likes the look of, it adds a firewall rule to sort it out by dropping connections from that address for a while. You can configure how many connections is too many, and for how long the address should be banned. It’s a nice bit of “fit and forget” security.
Anyway, yesterday afternoon I was trying to set up an FTP connection from a laptop that hasn’t had cause to talk to Linode before, and it didn’t seem to want to work. At first I got a quite quick “go away” message, but then the FTP client (I’m still using Forklift, as it happens) started reporting timeouts, after apparently trying to connect for a while.
Hmm, most odd. The server was up, and responding to web requests in an acceptable speedy manner. So why was it not letting me connect? I reluctantly left the comfy chair (you can see where this is going, can’t you?) and sat down in front of the iMac. I decided to start with a shell session. I started Terminal and typed the mystic keystrokes that should have given me a secure session. And it sat there looking at me for a while before deciding to tell me that the connection had timed out. Hmm, I thought. What’s going on here?
So I used Linode’s very useful Lish console for a bit of out-of-band management. Logged in with no trouble, did the sudo thing to be able to see what was really going on and had a look at the fail2ban log. And yes, I had indeed locked myself out. As I’d set the duration to quite a long time, I had to edit the firewall rule to let myself back in again.
After that, I could FTP (well, SFTP, to be more precise) to the server from the laptop.
I will now pause for you all to point and laugh:
Still, it’s nice to know it works. As the firewall rule is set to drop connections from the offending IP address, it effectively ties up the intrusion attempt until it times out, which is what was happening to me.