As we have mentioned previously, how to Secure your Server SSH Login. Today, we are going to Install and Configure Fail2ban, to black list illegitimate connections, most likely (DDOS, Bruteforce Attacking, etc..) on your Server.
Fail2ban is not available in CentOS package repository. Therefore, we need to install EPEL (Extra Packages for Enterprise Linux) repository first. EPEL contains additional packages for all CentOS versions, one of these additional packages is Fail2Ban.
First, we ensure that our System is up to date
# yum update && yum upgrade
Then, we install we will EPEL repository :
# yum install epel-release
Now, we should be able to proceed with Fail2ban installation:
# yum install fail2ban fail2ban-systemd
After we complete the installation, we need to enable and start the service:
# systemctl enable fail2ban && systemctl start fail2ban
Now fail2ban.service has been enabled and started, the configuration file is located /etc/fail2ban/jail.conf, we shouldn’t make any configuration in this file; because this file can be changed by Package upgrade, therefore, we will create jail.local. jail.local will override the configuration in jail.conf
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, open jail.local file, with any text editor
# vi /etc/fail2ban/jail.local
or
# nano /etc/fail2ban/jail.local
Our Configuration will start, from [DEFAULT] line:
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
By default, Fail2ban, will black list / ban any illegitimate connection after 5 tries for 10 Minutes (600 Seconds). We can change to whatever value your Business requires.
Now, save you changes, and restart faile2ban service:
# systemctl restart fail2ban.service
Then, we need to add jail file to protect our SSH, we create new file with text editor:
# vi /etc/fail2ban/jail.d/sshd.local
or
# nano /etc/fail2ban/jail.d/sshd.local
Then, we add the following parameters:
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400
- Parameter enabled is set to true, in order to provide protection to SSH.
- Port parameter can be left as it is (22), but if we changed the port we need to define the new Port.
- Logpath provides the path where the log file is stored. This log file is scanned by Fail2Ban.
- Maxretry is used to set the maximum limit for failed login entries.
- Bantime parameter is used to set the duration of seconds for which a host needs to be banned.
After that, we need to restart Fail2ban service:
# systemctl restart fail2ban.service
To track / check the failed attempts to login:
# cat /var/log/secure | grep 'Failed password'
May 15 16:32:34 c498cf0 sshd[34695]: Failed password for invalid user oracle from 206.189.72.217 port 55742 ssh2
May 15 16:32:49 c498cf0 sshd[34714]: Failed password for invalid user service from 181.120.219.187 port 33146 ssh2
May 15 16:33:00 c498cf0 sshd[34716]: Failed password for invalid user gn from 159.203.111.100 port 43755 ssh2
May 15 16:33:21 c498cf0 sshd[34718]: Failed password for invalid user srvadmin from 123.30.236.149 port 54904 ssh2
May 15 16:33:58 c498cf0 sshd[34720]: Failed password for invalid user lv from 187.183.84.178 port 45506 ssh2
May 15 16:34:00 c498cf0 sshd[34722]: Failed password for invalid user mai from 213.32.90.123 port 49708 ssh2
May 15 16:34:16 c498cf0 sshd[34724]: Failed password for invalid user cs from 180.250.111.17 port 40409 ssh2
May 15 16:34:24 c498cf0 sshd[34726]: Failed password for invalid user admin from 118.25.40.16 port 42092 ssh2
May 15 16:34:32 c498cf0 sshd[34728]: Failed password for invalid user nelson from 209.235.67.48 port 59786 ssh2
May 15 16:35:16 c498cf0 sshd[34731]: Failed password for invalid user jian from 217.165.24.7 port 54734 ssh2
To check Fail2ban status:
# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
To check the sshd jail, here we will see all banned / black listed IPs:
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 11
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 17
|- Total banned: 17
`- Banned IP list: 118.25.40.16 118.89.166.193 123.30.236.149 141.98.81.81 159.203.111.100 180.250.111.17 181.120.219.187 182.23.64.177 206.189.72.217 209.235.67.48 213.32.90.123 217.165.24.7 37.252.190.224 45.55.156.159 104.238.116.94 31.184.135.153 124.173.71.245
In order to remove any IP address from the banned list:
# fail2ban-client set sshd unbanip <IPADDRESS>
Now our Server is Secure by Fail2ban.
It?¦s actually a cool and helpful piece of info. I am satisfied that you just shared this helpful info with us. Please keep us informed like this. Thanks for sharing.