Protect SSH with Fail2ban on CentOS 7

Posted on Sun, 02 April 2017 in development

At the very moment, you expose your new Linux server to the internet, it starts to get automated SSH brute-force login attempts. There can easily be thousands of them in a short time period. Is there something we can do about this?

One of easiest ones is to install a service called Fail2ban to mitigate this problem. It does this by creating rules that automatically alter your iptables firewall settings based on a predefined number of unsuccessful login attempts.

Prerequisites

  1. A CentOS 7 linux server
  2. FirewallD configured and running.

Install Fail2ban

Fail2ban can be installed from the EPEL repo, which should be installed first if it’s not already. After that, we can install Fail2ban with yum:

$ sudo yum install epel-release
$ sudo yum install fail2ban fail2ban-systemd
$ # If you have SELinux installed and active in enforcing mode (which it should be)
$ # update Policy with
$ yum update -y selinux-policy*

Configure Fail2ban

Fail2ban configuration files reside in /etc/fail2ban. The default configuration file is called jail.conf, which should never be edited by hand because future updates will rewrite this file. Instead, create a new configuration file called jail.local. Any values here will override the default values.

We can easily create this by copying the default file:

$ sudo cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

There is no imminent need to change the default values at this point. In addition to this, it’s commonly used practice to create a separate configuration file for individual services. So, let’s create one for SSH with sudo vi /etc/fail2ban/sshd.local and add the content as follows:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
# bantime in seconds
bantime = 86400

Save and exit.

Time to restart the service, and enable it so it will be automatically restarted on server boot.

$ sudo systemctl restart fail2ban
$ sudo systemctl enable fail2ban

We can check the status of the service with systemctl status, or with Fail2ban’s own command:

$ sudo fail2ban-client status
$ # Or for more detailed info with
$ sudo fail2ban-client status sshd

Monitor what Fail2ban is doing

After we have installed Fail2ban, it’s important to study what the service is doing. There are several tools and logs, which we can examine:

$ # With Journal, since the last boot
$ sudo journalctl -b -u fail2ban
$ # Tail the log file itself
$ sudo tail -F /var/log/fail2ban.log
$ # ... yet another way to check for failed root logins
$ sudo cat /var/log/secure | grep 'Failed password'

We can also check, which addresses Fail2ban has blocked:

$ sudo iptables -L -n

If we need to unban an IP address, we can do this with:

$ sudo fail2ban-client set sshd unbanip IPADDRESS

Further studying

One thing which is good to understand, are the actual filters, which drive Fail2ban. The filter configurations are located in /etc/fail2ban/filter.d.