In Fail2Ban, How to Change the SSH port number?

Solution 1:

fail2ban will detect login attemps with log content. fail2ban don't use ports for detection, only to block.
To block the right port, you have to tell fail2ban which one in order to correctly setup iptable.
Into /etc/fail2ban/jail.local:

[ssh]
enabled  = true
port     = ssh   <-- just modify this with your port    port = 1234

Another method is to block everything from the offending hosts. So iptable will drop every paquets from them, not only ssh ones.
At the beginning of /etc/fail2ban/jail.local:

banaction = iptables-multiport     <-- regular blocking (one or several ports)
banaction = iptables-allports      <-- block everything

With iptables-allports you don't have to bother about ports. Just leave the default ones.

Solution 2:

Fail2Ban uses the file /etc/fail2ban/jail.localand look for the [ssh]section, you can change the port there.

[ssh]
enabled  = true
port     = ssh

You can change the port value to any positive integer.

If it's not working and you want to look further, take a look at /etc/fail2ban/jail.conf, there should be something like:

 logpath = /var/log/auth.log

That is what fail2ban uses to detect false logins.

If it is not working correctly, you can try a few things to pinpoint the problem. Start by checking if it is installed:

dpkg -l |grep fail   

Check if the service is running:

/etc/init.d/fail2ban status 

Check if your SSH-jail is setup:

sudo fail2ban-client status  

Check the log file:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Check your date/time:

date && tail -2 /var/log/auth.log

(You should first get the date, followed by the last lines in auth.log. If you still can't pinpoint the error, add your configuration file to your post.


Solution 3:

In short : if you changed the ssh port number you have to add it in the jail.local file

For example : (I use SSH, SFTP on the port 1234)

in jail.local :

[ssh]

enabled  = true

port     = ssh,sftp,1234

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 6

Solution 4:

I know this is an old thread but this is what pops up on a google search for this subject. I didn't see anyone give the most correct answer (imo) so here it is.

To change the Linux named port definition globally go to /etc/services

ssh             22/tcp
ssh             22/udp

There is no need to change anything in the fail2ban configuration or in any other application that uses Linux named ports.

Tags:

Ssh

Fail2Ban