At the very moment, you expose your new Linux server to the internet, it starts to get automated SSH brute-force login attempts. There can easily be thousands of them in a short time period. Is there something we can do about this?
One of easiest ones is to install a service called Fail2ban to mitigate this problem. It does this by creating rules that automatically alter your iptables firewall settings based on a predefined number of unsuccessful login attempts.
- A CentOS 7 linux server
- FirewallD configured and running.
Fail2ban can be installed from the EPEL repo, which should be installed first if it’s not already. After that, we can install Fail2ban with yum:
$ sudo yum install epel-release $ sudo yum install fail2ban fail2ban-systemd $ # If you have SELinux installed and active in enforcing mode (which it should be) $ # update Policy with $ yum update -y selinux-policy*
Fail2ban configuration files reside in
/etc/fail2ban. The default configuration file is called
jail.conf, which should never be edited by hand because future updates will rewrite this file. Instead, create a new configuration file called
jail.local. Any values here will override the default values.
We can easily create this by copying the default file:
$ sudo cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
There is no imminent need to change the default values at this point. In addition to this, it’s commonly used practice to create a separate configuration file for individual services. So, let’s create one for SSH with
sudo vi /etc/fail2ban/sshd.local and add the content as follows:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s maxretry = 5 # bantime in seconds bantime = 86400
Save and exit.
Time to restart the service, and enable it so it will be automatically restarted on server boot.
$ sudo systemctl restart fail2ban $ sudo systemctl enable fail2ban
We can check the status of the service with systemctl status, or with Fail2ban’s own command:
$ sudo fail2ban-client status $ # Or for more detailed info with $ sudo fail2ban-client status sshd
Monitor what Fail2ban is doing
After we have installed Fail2ban, it’s important to study what the service is doing. There are several tools and logs, which we can examine:
$ # With Journal, since the last boot $ sudo journalctl -b -u fail2ban $ # Tail the log file itself $ sudo tail -F /var/log/fail2ban.log $ # ... yet another way to check for failed root logins $ sudo cat /var/log/secure | grep 'Failed password'
We can also check, which addresses Fail2ban has blocked:
$ sudo iptables -L -n
If we need to unban an IP address, we can do this with:
$ sudo fail2ban-client set sshd unbanip IPADDRESS
One thing which is good to understand, are the actual filters, which drive Fail2ban. The filter configurations are located in