How to Secure The SSHD Using Fail2Ban on RHEL 7.x/CentOS 7.x

WebsiteInternetWeb Services

In this article, we will learn how to install and configure to secure the SSH connection using Fail2ban on CentOS 7, as we all get connected to the servers using the SSH which is secured and SSH will get exposed to the internet to work properly, there may be a risk of being targeted in this way, if we see the logs for these services. We often see the repeated logins using the brute-force attacks.

Installing the Fail2ban

As the Fail2ban is not available in the official CentOS repository, we need to update and install the package using EPEL project, then we will install fail2ban and enable the fail2ban to start at the system boot time.

# yum update
# yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base:
* epel:
* extras:
* updates:
Resolving Dependencies
Package Arch Version Repository Size
fail2ban noarch 0.9.3-1.el7 epel 9.7 k
Installing for dependencies:
ebtables x86_64 2.0.10-13.el7 base 122 k
fail2ban-firewalld noarch 0.9.3-1.el7 epel 9.9 k
fail2ban-sendmail noarch 0.9.3-1.el7 epel 13 k
fail2ban-server noarch 0.9.3-1.el7 epel 395 k
firewalld noarch 0.3.9-14.el7 base 476 k
ipset x86_64 6.19-4.el7 base 36 k
ipset-libs x86_64 6.19-4.el7 base 46 k
libselinux-python x86_64 2.2.2-6.el7 base 247 k
python-slip noarch 0.4.0-2.el7 base 30 k
python-slip-dbus noarch 0.4.0-2.el7 base 31 k
systemd-python x86_64 219-19.el7_2.11 updates 99 k
Updating for dependencies:
libgudev1 x86_64 219-19.el7_2.11 updates 66 k
systemd x86_64 219-19.el7_2.11 updates 5.1 M
systemd-libs x86_64 219-19.el7_2.11 updates 358 k
systemd-sysv x86_64 219-19.el7_2.11 updates 53 k
Transaction Summary
Install 1 Package (+11 Dependent packages)
Upgrade ( 4 Dependent packages)
Total download size: 7.1 M
Is this ok [y/d/N]: y
Downloading packages:
--> Running transaction check
fail2ban.noarch 0:0.9.3-1.el7
Dependency Installed:
ebtables.x86_64 0:2.0.10-13.el7
fail2ban-firewalld.noarch 0:0.9.3-1.el7
fail2ban-sendmail.noarch 0:0.9.3-1.el7
fail2ban-server.noarch 0:0.9.3-1.el7
firewalld.noarch 0:0.3.9-14.el7
ipset.x86_64 0:6.19-4.el7
ipset-libs.x86_64 0:6.19-4.el7
libselinux-python.x86_64 0:2.2.2-6.el7
python-slip.noarch 0:0.4.0-2.el7
python-slip-dbus.noarch 0:0.4.0-2.el7
systemd-python.x86_64 0:219-19.el7_2.11
Dependency Updated:
libgudev1.x86_64 0:219-19.el7_2.11 systemd.x86_64 0:219-19.el7_2.11
systemd-libs.x86_64 0:219-19.el7_2.11 systemd-sysv.x86_64 0:219-19.el7_2.11

We will now start the fail2ban service and enable them to start at the boot time.

# systemctl start fail2ban
# systemctl enable fail2ban

Configuring the Fail2ban Local Settings

As we have installed the Fail2ban, we need to customize the configuration file to our environment, and fail2ban will have all the configuration files at /etc/fail2ban. We will copy the configuration from in the /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local, below is the command for copying the configuration

# cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now we will customize the configuration file accordingly.

# vi /etc/fail2ban/jail.local
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
# It will probably be overwritten or improved in a distribution update.
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
# bantime = 3600
# [sshd]
# enabled = true
# See jail.conf(5) man page for more informationignoreip =
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned to do ssh .
bantime = 1200
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5

Options used in the Configuration files

Ignoreip − This option is used to set the allowed IPs, the list of IPs should be given with a space separator, this is to set the IP address of yours.

Bantime − This option sets the duration of seconds for which the host is needed for banning the access.

Findtime − This option is used to check the banned list of hosts which will check for the last find time it was banned.

Maxretry − This option is used to set the limit for the no of retries attempted by the host for exceeding the limit where the host is banned.

Adding the Configuration File to protect the SSH

We will create a new sshd configuration file with the below command and we will add the fail2ban configuration file.

# vi /etc/fail2ban/jail.d/sshd.local
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 25
bantime = 36000

Options Used in the Configuration Files

Enable → This option enables is set to true, to enable the protection, and to deactivate we can set to false. This will check for the sshd configuration, in the /etc/fail2ban/filters.d/sshd.conf

Action → This option is used to define the banned IP address used in the /etc/fail2ban/action.d/firewallcmdipset.conf.

Port → This option is used when we change the port of ssh, default port of sshd is 22 so if you have not changed the default port no needed to change this option.

Logpath → This option is used to allow us to store the logs scanned by the fail2ban to store in the specific location.

Maxretry → This option is used to set the max. The limit allowed for failed logins.

Bantime → This option is used to set the duration of the seconds for the host to be banned.

As all the configuration as completed now, we needed to restart the fail2ban services.

# systemctl restart fail2ban

Checking the Fail2ban Status

Below is the command used to check the fail2ban status

# fail2ban-client status
|- Number of jail: 2
`- Jail list: sshd

Below is the command to check the failed attempts for logging into the server using the SSH port.

# cat /var/log/secure | grep ‘Failed password’
Jul 18 16:41:12 htf sshd[5487]: Failed password for root from port 23421 ssh2
Jul 18 16:41:15 htf sshd[1254]: Failed password for root from port 15286 ssh2
Jul 18 16:41:16 htf sshd[1254]: Failed password for root from port 24157 ssh2
Jul 18 16:41:18 htf sshd[1254]: Failed password for root from port 24057 ssh2
Jul 18 16:41:19 htf sshd[1254]: Failed password for root from port 27286 ssh2
Jul 18 16:41:22 htf sshd[1254]: Failed password for root from port 13486 ssh2

Unbanning the IP address from Fail2ban

If we wanted to remove the IP address from the banned list, the IPADDRESS has to be replaced with the allowed list of IPs which are needed to allow. The name “sshd” is the jail name used in the below example, below is the command used for allowing the IPs.

General Syntax

# fail2ban-client set sshd unbanip IPADDRESS
# fail2ban-client set sshd unbanip
# fail2ban-client set sshd unbanip

We can troubleshoot the fail2ban logs since the last boot time below is the command to find the logs

# journalctl -b -u fail2ban
-- Logs begin at Mon 2016-07-18 08:20:57 EDT, end at Mon 2016-07-18 11:47:19 EDT
Jul 18 17:47:19 centos-linux-1.shared systemd[1]: Starting Fail2Ban Service...
Jul 18 17:47:19 centos-linux-1.shared fail2ban-client[2542]: 2016-07-18 11:47:19
Jul 18 17:47:19 centos-linux-1.shared fail2ban-client[2542]: 2016-07-18 11:47:19
Jul 18 17:47:19 centos-linux-1.shared systemd[1]: Started Fail2Ban Service.

With the above configuration and setup we are now able to configure the basic banning policies for the services using the Fail2ban and it is very easy to set up and we can also protect any kind of services to using the fail2ban.

Published on 23-Jan-2020 11:28:20