How To Protect SSH With Fail2Ban on CentOS 8

ADVERTISEMENTS



How to install Fail2Ban on CentOS 8

My ssh log file shows too many password failures. Random IP address trying to brute force my sshd server running on CentOS 8 server. How do I protect ssh with fail2ban on CentOS 8 Linux server? How do I install Fail2Ban on CentOS 8?Typically SSH TCP port 22 exposed to everyone on the Internet. As a result, many bots and attackers try random passwords/users to login into your server. OpenSSH server and the client itself is pretty secure, but like everything else, it can be cracked with brute-force attacks. Here is a sample message from my server:You can protect your ssh and other services using Fail2ban security application that bans IP address after several unsuccessful ssh login attempts. This page shows how to install and configure Fail2ban on a CentOS 8 Linux server.

The procedure to set up and configure Fail2ban to secure your server is as follows:

Log in to your CentOS 8 server using ssh Enable and install the EPEL repository on CentOS 8, run: sudo yum install epel-release Install Fail2Ban, run: sudo yum install fail2ban Configure Fail2ban Enable and start Fail2ban service: sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Let us see all commands and options in details.

Where to find failed ssh login attempts

See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:

tail -f /var/log/secure

grep 'sshd.*Failed password for' /var/log/secure

Sample outputs:

Sep 26 10 :08: 10 localhost sshd [ 16031 ] : Failed password for root from 49.88.112.90 port 15595 ssh2 Sep 26 10 :08: 13 localhost sshd [ 16031 ] : Failed password for root from 49.88.112.90 port 15595 ssh2 Sep 26 10 : 13 : 19 localhost sshd [ 16039 ] : Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10 : 13 : 22 localhost sshd [ 16039 ] : Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10 : 13 : 26 localhost sshd [ 16039 ] : Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10 : 16 : 14 localhost sshd [ 17218 ] : Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10 : 16 : 16 localhost sshd [ 17218 ] : Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10 : 16 : 19 localhost sshd [ 17218 ] : Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10 : 19 : 14 localhost sshd [ 17226 ] : Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10 : 19 : 17 localhost sshd [ 17226 ] : Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10 : 19 : 19 localhost sshd [ 17226 ] : Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10 : 22 :06 localhost sshd [ 17260 ] : Failed password for root from 222.186.30.165 port 22558 ssh2 Sep 26 10 : 22 :08 localhost sshd [ 17260 ] : Failed password for root from 222.186.30.165 port 22558 ssh2 Sep 26 10 : 22 : 11 localhost sshd [ 17260 ] : Failed password for root from 222.186.30.165 port 22558 ssh2 Sep 26 10:08:10 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2 Sep 26 10:08:13 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2 Sep 26 10:13:19 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10:13:22 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10:13:26 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10:16:14 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10:16:16 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10:16:19 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10:19:14 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10:19:17 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10:19:19 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10:22:06 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2 Sep 26 10:22:08 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2 Sep 26 10:22:11 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2

Protect SSH With Fail2Ban on CentOS 8

First enable and install EPEL Repo on CentOS 8, run:

sudo yum update

sudo yum install epel-release

sudo yum update

Install Fail2ban on CentOS 8

Since you enabled ELEP repo, we can install Fail2ban as follows using the yum command:

sudo yum install fail2ban



It is time to use the systemctl command to enable the fail2ban protection service at boot time, run:

sudo systemctl enable fail2ban

Sample outputs:

Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service ? /usr/lib/systemd/system/fail2ban.service.

Configure Fail2ban settings

The /etc/fail2ban/jail.local file overrides defaults set in /etc/fail2ban/jail.conf file. Therefore, create or edit the jail.local file using a text editor such as vi/vim or nano/emacs:

sudo vi /etc/fail2ban/jail.local

Update/append as follows:

[ DEFAULT ] # Ban IP/hosts for 24 hour ( 24h*3600s = 86400s ) : bantime = 86400 # An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 600 maxretry = 3 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space ( and/or comma ) separator. For example, add your # static IP address that you always use for login such as 103.1.2.3 #ignoreip = 127.0.0.1/8 ::1 103.1.2.3 # Call iptables to ban IP address banaction = iptables-multiport # Enable sshd protection [ sshd ] enabled = true [DEFAULT] # Ban IP/hosts for 24 hour ( 24h*3600s = 86400s): bantime = 86400 # An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 600 maxretry = 3 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. For example, add your # static IP address that you always use for login such as 103.1.2.3 #ignoreip = 127.0.0.1/8 ::1 103.1.2.3 # Call iptables to ban IP address banaction = iptables-multiport # Enable sshd protection [sshd] enabled = true

Save and exit the file. Next start the service, run:

sudo systemctl start fail2ban

sudo systemctl status fail2ban



How do I start/stop/restart fail2ban service?

The syntax is as follows:

sudo systemctl start fail2ban

sudo systemctl stop fail2ban

sudo systemctl restart fail2ban

sudo systemctl status fail2ban

Finding status of failed and banned IP address

Run the following two commands:

sudo fail2ban-client status

sudo fail2ban-client status sshd



Fail2ban filters

Cd into /etc/fail2ban/filter.d and you can view all filters:

cd /etc/fail2ban/filter.d

ls

For example, show Fail2Ban filter for openssh, run cat command:

sudo cat /etc/fail2ban/filter.d/sshd.conf

OR

sudo vi /etc/fail2ban/filter.d/sshd.conf

Do not edit this file. For customization create a file named /etc/fail2ban/jail.d/sshd.conf.local.

Getting more information about banned IP address and log files

Execute the following commands:

tail -f /var/log/fail2ban.log

grep IP-address /var/log/fail2ban.log

sudo iptables -L -n -v

sudo iptables -L f2b-sshd -n -v

sudo iptables -S | f2b-sshd

Other suggestions

Conclusion

You just learned how to protect ssh server from brute force attacks by installing and configuring Fail2ban service on CentOS 8 Linux server. Fail2ban has many more options and commands hence I request you to check the official documentation wiki page.