While connecting to your server through SSH can be very secure, the SSH daemon itself is a service that must be exposed to the internet to function properly. This comes with some inherent risks. Any service that is exposed to the network is a potential target in this way. If you pay attention to the application logs for these services, you will often see repeated, systematic login attempts that represent brute force attacks by users and bots alike.
A service called fail2ban can mitigate this problem by creating rules that can automatically alter your iptables firewall configuration based on a predefined number of unsuccessful login attempts. This will allow your server to respond to illegitimate access attempts without your intervention.
In this guide, we will cover how to install and use fail2ban on a CentOS 7 server.
Because Fail2Ban is not available from CentOS, we will have to install EPEL repository first.
The following commands must be executed after switching to the root user.
Follow up by installing Fail2Ban:
Execute the following command lines to start Fail2Ban on the server.
The default Fail2Ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.
We need to copy this to a file called jail.local for Fail2Ban to find it.
After the file is copied, you can make all of your changes within the new jail.local file. Many possible services that may need protection are in the file already. Each one is located in its own section, configured and turned off.
Open up the new Fail2Ban configuration file:
The first section of defaults covers the basic rules that Fail2Ban will apply to all services enabled for Fail2Ban that are not overridden in the service’s own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.
You can see the default section below:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5
Write your personal IP address into the ignoreip line. You can separate each address with a space. IgnoreIP allows you to white list certain IP addresses and make sure that they are not locked out. Including your address will guarantee that you do not accidentally ban yourself from your own server.
Add the banaction parameter to make sure we are using iptables for firewall configuration.
The next step is to decide on a bantime, the number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules. This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes – you may raise this to an hour (or higher) if you like.
Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.
Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.
Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.
So lets create a new jail for SSH with the vi editor.
In the above file, add the following lines of code:
[sshd] enabled = true port = ssh action = iptables-multiport logpath = /var/log/secure maxretry = 5 bantime = 600
Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word “false”.
The port parameter defines which port Fail2Ban should be watching, if default port 22 is in use, then there is no need to change this parameter. Otherwise type the port you are using for SSH access.
Action describes the steps that Fail2Ban will take to ban a matching IP address. Each action refers to a file within the action.d directory. The default ban action, “iptables-multiport” can be found at /etc/fail2ban/action.d/iptables-multiport.conf .
logpath refers to the log location that Fail2Ban will track.
The max retry and bantime lines within the SSH section have the same definitions as the default configuration file. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount and ban time for SSH here.
After making any changes to the Fail2Ban config, always be sure to restart Fail2Ban.
You can see the rules that fail2ban puts in effect within the IP table:
Use fail2ban-client command to query the overall status of the Fail2Ban jails.
You can also query a specific jail status using the following command:
If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:
eg. Unban IP 192.168.1.101, that was banned according to [sshd] jail:
You should now be able to configure some basic banning policies for your services. Fail2ban is very easy to set up, and is a great way to protect any kind of service that uses authentication.