At the very moment, you expose your new Linux server to the internet, it starts to get automated SSH brute-force login attempts. There can easily be thousands of them in a short time period. Is there something we can do about this?
One of easiest ones is to install a service called Fail2ban to mitigate this problem. It does this by creating rules that automatically alter your iptables firewall settings based on a predefined number of unsuccessful login attempts.
- A CentOS 7 linux server
- FirewallD configured and running.
Fail2ban can be installed from the EPEL repo, which should be installed first if it's not already. After that, we can install Fail2ban with yum:
$ sudo yum install epel-release $ sudo yum install fail2ban fail2ban-systemd $ # If you have SELinux installed and active in enforcing mode (which it should be) $ # update Policy with $ yum update -y selinux-policy*
Fail2ban configuration files reside in
/etc/fail2ban. The default configuration file is called
jail.conf, which should never be edited by hand because future updates will rewrite this file. Instead, create a new configuration file called
jail.local. Any values here will override the default values.
We can easily create this by copying the default file:
$ sudo cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
There is no imminent need to change the default values at this point. In addition to this, it's commonly used practice to create a separate configuration file for individual services. So, let's create one for SSH with
sudo vi /etc/fail2ban/sshd.local and add the content as follows:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s maxretry = 5 # bantime in seconds bantime = 86400
Save and exit.
Time to restart the service, and enable it so it will be automatically restarted on server boot.
$ sudo systemctl restart fail2ban $ sudo systemctl enable fail2ban
We can check the status of the service with systemctl status, or with Fail2ban's own command:
$ sudo fail2ban-client status $ # Or for more detailed info with $ sudo fail2ban-client status sshd
After we have installed Fail2ban, it's important to study what the service is doing. There are several tools and logs, which we can examine:
$ # With Journal, since the last boot $ sudo journalctl -b -u fail2ban $ # Tail the log file itself $ sudo tail -F /var/log/fail2ban.log $ # ... yet another way to check for failed root logins $ sudo cat /var/log/secure | grep 'Failed password'
We can also check, which addresses Fail2ban has blocked:
$ sudo iptables -L -n
If we need to unban an IP address, we can do this with:
$ sudo fail2ban-client set sshd unbanip IPADDRESS
One thing which is good to understand, are the actual filters, which drive Fail2ban. The filter configurations are located in